Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll
Analysis ID:597480
MD5:f37c7d5fa69ad187235a162203eacafd
SHA1:970f5aac456ac9e403c445bbf9eae084019b9b46
SHA256:4b2ff97ccb7034b07618bf9fc3e8935c233a564574ad1629280bf39e7dcb5ec3
Tags:dll
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses 32bit PE files
One or more processes crash
Tries to load missing DLLs
Checks if the current process is being debugged
PE file contains sections with non-standard names
PE file contains more sections than normal
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6596 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6608 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6640 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6624 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,TMethodImplementationIntercept MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6704 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,__dbk_fcall_wrapper MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6788 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,dbkFCallWrapperAddr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 748 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7020 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",TMethodImplementationIntercept MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7076 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",__dbk_fcall_wrapper MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",dbkFCallWrapperAddr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7116 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",rm5MLoUr43vZ510sxf6Pi MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Call by Ordinal
Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6608, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1, ProcessId: 6640, ProcessName: rundll32.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllVirustotal: Detection: 24%Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllReversingLabs: Detection: 35%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllJoe Sandbox ML: detected
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%sS
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000001.00000003.535946079.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.256202603.0000000005900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000000.257143171.0000000005E60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.253172060.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.314465297.0000000005D90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.334711343.0000000005650000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.297552526.0000000005650000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000000.312728697.0000000005540000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000003.295847556.0000000005F20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
Source: loaddll32.exe, 00000001.00000003.536706912.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000000.286173453.0000000005765000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.254796884.0000000005625000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.302407533.0000000003445000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000000.312642934.00000000053F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.299205139.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.297683056.0000000005E85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://code.google.com/p/ddab-lib/issues/list
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: Number of sections : 12 > 10
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllVirustotal: Detection: 24%
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllReversingLabs: Detection: 35%
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,TMethodImplementationIntercept
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 756
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",rm5MLoUr43vZ510sxf6Pi
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 748
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",rm5MLoUr43vZ510sxf6PiJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 756Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 748Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7020
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6788
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6624
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA11.tmpJump to behavior
Source: classification engineClassification label: mal68.evad.winDLL@36/24@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic file information: File size 6532096 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: Raw size of .YPm1 is bigger than: 0x100000 < 0x639e00
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: More than 200 imports for user32.dll
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: section name: .didata
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: section name: .YPm0
Source: SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dllStatic PE information: section name: .YPm1
Source: initial sampleStatic PE information: section where entry point is pointing to: .YPm1

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 1140005 value: E9 FB BF 35 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 7749C000 value: E9 0A 40 CA 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 1150008 value: E9 AB E0 38 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 774DE0B0 value: E9 60 1F C7 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 1170005 value: E9 CB 5A 53 73 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 746A5AD0 value: E9 3A A5 AC 8C Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 1180005 value: E9 5B B0 54 73 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 746CB060 value: E9 AA 4F AB 8C Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 1190005 value: E9 DB F8 D8 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 75F1F8E0 value: E9 2A 07 27 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 11A0005 value: E9 FB 42 DA 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 75F44300 value: E9 0A BD 25 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2E40005 value: E9 FB BF 65 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 7749C000 value: E9 0A 40 9A 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2E50008 value: E9 AB E0 68 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 774DE0B0 value: E9 60 1F 97 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2F00005 value: E9 CB 5A 7A 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 746A5AD0 value: E9 3A A5 85 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2F10005 value: E9 5B B0 7B 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 746CB060 value: E9 AA 4F 84 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2F20005 value: E9 DB F8 FF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 75F1F8E0 value: E9 2A 07 00 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 2F30005 value: E9 FB 42 01 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6624 base: 75F44300 value: E9 0A BD FE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 3460005 value: E9 FB BF 03 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 7749C000 value: E9 0A 40 FC 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 3470008 value: E9 AB E0 06 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 774DE0B0 value: E9 60 1F F9 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 5BE0005 value: E9 CB 5A AC 6E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 746A5AD0 value: E9 3A A5 53 91 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 5BF0005 value: E9 5B B0 AD 6E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 746CB060 value: E9 AA 4F 52 91 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 5C00005 value: E9 DB F8 31 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 75F1F8E0 value: E9 2A 07 CE 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 5C10005 value: E9 FB 42 33 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6640 base: 75F44300 value: E9 0A BD CC 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 27A0005 value: E9 FB BF CF 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 7749C000 value: E9 0A 40 30 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 27B0008 value: E9 AB E0 D2 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 774DE0B0 value: E9 60 1F 2D 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 27E0005 value: E9 CB 5A EC 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 746A5AD0 value: E9 3A A5 13 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 27F0005 value: E9 5B B0 ED 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 746CB060 value: E9 AA 4F 12 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 2A00005 value: E9 DB F8 51 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 75F1F8E0 value: E9 2A 07 AE 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 2A10005 value: E9 FB 42 53 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 75F44300 value: E9 0A BD AC 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 3450005 value: E9 FB BF 04 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 7749C000 value: E9 0A 40 FB 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 3460008 value: E9 AB E0 07 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 774DE0B0 value: E9 60 1F F8 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 3680005 value: E9 CB 5A 02 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 746A5AD0 value: E9 3A A5 FD 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 3690005 value: E9 5B B0 03 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 746CB060 value: E9 AA 4F FC 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 36A0005 value: E9 DB F8 87 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 75F1F8E0 value: E9 2A 07 78 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 36B0005 value: E9 FB 42 89 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6788 base: 75F44300 value: E9 0A BD 76 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2A40005 value: E9 FB BF A5 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 7749C000 value: E9 0A 40 5A 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2A50008 value: E9 AB E0 A8 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 774DE0B0 value: E9 60 1F 57 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2BD0005 value: E9 CB 5A AD 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 746A5AD0 value: E9 3A A5 52 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2BE0005 value: E9 5B B0 AE 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 746CB060 value: E9 AA 4F 51 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 2EC0005 value: E9 DB F8 05 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 75F1F8E0 value: E9 2A 07 FA 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 5360005 value: E9 FB 42 BE 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7020 base: 75F44300 value: E9 0A BD 41 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2C20005 value: E9 FB BF 87 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 7749C000 value: E9 0A 40 78 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2D40008 value: E9 AB E0 79 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 774DE0B0 value: E9 60 1F 86 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2D60005 value: E9 CB 5A 94 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 746A5AD0 value: E9 3A A5 6B 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2D70005 value: E9 5B B0 95 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 746CB060 value: E9 AA 4F 6A 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2D80005 value: E9 DB F8 19 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 75F1F8E0 value: E9 2A 07 E6 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 2D90005 value: E9 FB 42 1B 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 75F44300 value: E9 0A BD E4 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 2C10005 value: E9 FB BF 88 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 7749C000 value: E9 0A 40 77 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 2C20008 value: E9 AB E0 8B 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 774DE0B0 value: E9 60 1F 74 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 5360005 value: E9 CB 5A 34 6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 746A5AD0 value: E9 3A A5 CB 90 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 5370005 value: E9 5B B0 35 6F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 746CB060 value: E9 AA 4F CA 90 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 5490005 value: E9 DB F8 A8 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 75F1F8E0 value: E9 2A 07 57 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 54A0005 value: E9 FB 42 AA 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7100 base: 75F44300 value: E9 0A BD 55 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 32E0005 value: E9 FB BF 1B 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 7749C000 value: E9 0A 40 E4 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 32F0008 value: E9 AB E0 1E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 774DE0B0 value: E9 60 1F E1 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 3520005 value: E9 CB 5A 18 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 746A5AD0 value: E9 3A A5 E7 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 3530005 value: E9 5B B0 19 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 746CB060 value: E9 AA 4F E6 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 5BE0005 value: E9 DB F8 33 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 75F1F8E0 value: E9 2A 07 CC 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 5BF0005 value: E9 FB 42 35 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 75F44300 value: E9 0A BD CA 8F Jump to behavior
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 7749C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 746A5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 746CB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 75F1F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6596 base: 75F44300 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 7749C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 746A5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 746CB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 75F1F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6704 base: 75F44300 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 7749C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 746A5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 746CB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 75F1F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7076 base: 75F44300 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 7749C000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 746A5AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 746CB060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 75F1F8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7116 base: 75F44300 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000003.00000000.261561879.0000000004DC5000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000000.262816974.00000000052B5000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.305022300.0000000005425000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.302369193.0000000004A85000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.332189106.0000000004A75000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ASBIEDLL.DLLY%
Source: rundll32.exe, 00000003.00000000.261561879.0000000004DC5000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000000.262816974.00000000052B5000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.305022300.0000000005425000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.302369193.0000000004A85000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.332189106.0000000004A75000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ASBIEDLL.DLL
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 756Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 748Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		1
Credential API Hooking		11
Security Software Discovery		Remote Services1
Credential API Hooking		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Virtualization/Sandbox Evasion		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll24%VirustotalBrowse
SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll36%ReversingLabsWin32.Trojan.Generic
SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.movable-type.co.uk/scripts/xxtea.pdfS0%VirustotalBrowse
http://www.movable-type.co.uk/scripts/xxtea.pdfS0%Avira URL Cloudsafe
http://www.indyproject.org/0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.movable-type.co.uk/scripts/xxtea.pdfSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.schneier.com/paper-twofish-paper.pdfSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
    		high
    http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfrundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
      		high
      http://chart.apis.google.com/chart?chs=%dx%d&cht=qr&chld=%s&chl=%sSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
        		high
        http://tools.ietf.org/html/rfc1321rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
          		high
          https://code.google.com/p/ddab-lib/issues/listloaddll32.exe, 00000001.00000003.536706912.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000000.286173453.0000000005765000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.254796884.0000000005625000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.302407533.0000000003445000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000000.312642934.00000000053F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.299205139.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.297683056.0000000005E85000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfUrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
              		high
              http://www.schneier.com/paper-blowfish-fse.htmlSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                		high
                http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://www.indyproject.org/loaddll32.exe, 00000001.00000003.535946079.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.256202603.0000000005900000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000000.257143171.0000000005E60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.253172060.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.314465297.0000000005D90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.334711343.0000000005650000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.297552526.0000000005650000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000000.312728697.0000000005540000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000003.295847556.0000000005F20000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tools.ietf.org/html/rfc4648Srundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://www.itl.nist.gov/fipspubs/fip180-1.htmrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://www.ietf.org/rfc/rfc3447.txtSrundll32.exe, 00000003.00000000.257360679.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.296448389.0000000004D21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000000.262348743.0000000004E91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000000.298017080.00000000044F1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000000.313480899.00000000044E1000.00000020.00000001.01000000.00000003.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:597480
                            Start date and time:2022-03-26 04:38:48 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 1s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:42
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal68.evad.winDLL@36/24@0/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                            • Found application associated with file extension: .dll

                            Warnings

                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, UpdateNotificationMgr.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.73.29, 20.189.173.22, 20.189.173.21, 52.168.117.173
                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1aa5d1ebfa6ee8a33d186d2dcb51345b90637d9_82810a17_1141099d\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.0473233355879223
                            Encrypted:false
                            SSDEEP:192:V+i70oXxHBUZMX4jed+6wzO/u7syS274It7c:AilXBBUZMX4jeKO/u7syX4It7c
                            MD5:599EC537ACBB04F51770370150FF289A
                            SHA1:678DBC9AC9A29872E5E967A9E3DE76D68419D69B
                            SHA-256:E224715FBA953FDBCDDD3AD69D33434D0778F6BCC7E8E8CF56D76CDD33EE4320
                            SHA-512:E3AAB765B91E9FC46F10F865C3130913949FB5F6A5DFB50395023C1FCE3C130FE341781F547FF36927248184839315E86D7192E40AEED7A7295F9BA951CBEC9C
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.0.9.9.3.8.0.7.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.1.5.5.9.4.3.1.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.9.7.5.4.6.a.-.1.3.4.f.-.4.f.9.d.-.b.2.8.f.-.1.8.c.f.8.9.4.6.d.0.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.6.c.d.7.f.2.-.5.b.3.8.-.4.a.c.e.-.a.7.7.2.-.1.f.c.a.0.0.9.6.6.0.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.4.-.0.0.0.1.-.0.0.1.d.-.e.b.2.7.-.9.4.9.7.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1aa5d1ebfa6ee8a33d186d2dcb51345b90637d9_82810a17_19013754\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.0471661289144938
                            Encrypted:false
                            SSDEEP:192:ak4i0x0oX2HBUZMX4jed+pgsO/u7sNS274It7c:n4isXuBUZMX4jeKO/u7sNX4It7c
                            MD5:918844BD45C8A32F6D497D45E771C230
                            SHA1:0837FB3E97C98F85DDF4C08724D806C74AB8AAEF
                            SHA-256:2DB13532BD9B58D279A1BEC8896B2EDFC51C9E795C217F15F72E3B3D18581D3F
                            SHA-512:C10023DBF3E44249DB0099A2174898599AC485423666AE009E9079BDC7D275C6FEE0F9AB98F034B548F8DA9363D1D8C9A9AD2662640BD45C06E9786C71201B03
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.2.4.8.4.7.1.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.2.6.8.9.4.0.1.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.1.4.c.e.7.e.-.d.d.0.5.-.4.b.c.a.-.b.b.f.b.-.8.1.d.3.9.4.f.a.e.0.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.1.e.2.3.b.9.-.5.d.5.5.-.4.1.9.0.-.9.5.e.3.-.d.7.0.7.9.e.b.1.5.0.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.d.-.2.6.6.c.-.1.2.9.e.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1aa5d1ebfa6ee8a33d186d2dcb51345b90637d9_82810a17_1b4cfcdb\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.0473993465206661
                            Encrypted:false
                            SSDEEP:192:S4i60oXyHBUZMX4jed+pgkO/u7syS274It7c:5isXKBUZMX4jeCO/u7syX4It7c
                            MD5:1D00C9966A4D66E13834BDD78BBA79D6
                            SHA1:89987A7B860B9EB752326FA118FE9B52CBF3ABB0
                            SHA-256:C87A388A6C70A15F4E2092974E52084CAB1B9B06532EFC94A44FF5683811B8C3
                            SHA-512:56EE6E98959292005D6ACCE845F8065D027C800D86521EC6800392C4C0D37353CC820B2F720D4D2C103E7FF9E7564E186265E32DFA7B6C6CA128E1F2EF36967F
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.0.4.5.2.1.6.0.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.1.0.1.3.0.9.5.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.c.8.3.2.e.9.-.c.9.5.9.-.4.0.6.6.-.8.d.f.4.-.6.4.a.3.a.8.8.a.5.d.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.e.4.1.f.d.9.-.a.c.c.c.-.4.9.7.f.-.b.b.0.6.-.c.4.4.d.c.9.3.d.4.0.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.d.-.4.b.7.9.-.5.e.9.3.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7c36bffadd84ace8b1521e55b8602ef171178150_82810a17_1b7ced6a\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.0420702318554211
                            Encrypted:false
                            SSDEEP:192:+deia30oXLHBUZMX4jed+pgkO/u7syS274ItWc:yeiCXrBUZMX4jeCO/u7syX4ItWc
                            MD5:2A7DD367D8253AA5428B8F9B287205C7
                            SHA1:0AE70B75AAB6034F333B4F6FEA3C4CBA321E62E3
                            SHA-256:67B33AFACD420641AB79A831BE145607754D3E918562085325E199D9BDB1D8F3
                            SHA-512:E984B11256CC44DE6C1EF263B134E9BF164E79D3D6641878728CE1644A72196AF2C1FB7454127BA9B46EC03CFF6E740E36BB6C1DC80BC80C69ACC1E04B187CE9
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.0.4.3.1.6.4.5.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.0.7.3.1.6.4.3.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.a.e.7.a.a.5.-.8.c.7.4.-.4.9.e.3.-.8.e.b.6.-.9.3.9.a.5.6.6.7.9.6.e.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.c.3.e.0.a.4.-.0.4.0.b.-.4.7.3.c.-.9.e.a.2.-.6.6.7.b.2.3.c.4.9.d.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.e.0.-.0.0.0.1.-.0.0.1.d.-.8.3.3.a.-.5.9.9.3.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cea2a2fe15aa5cb6ac4fab24968c1bdb7c503f_82810a17_0e253437\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.041701906340339
                            Encrypted:false
                            SSDEEP:192:rwcIihA0oXnHBUZMX4jed+pYkO/u7sNS274ItWc:rpIihWXHBUZMX4je6O/u7sNX4ItWc
                            MD5:A4D1917379F3E7CA864B1C41BC76F5C2
                            SHA1:4587CD45F39372722B2E882CA8397186B8694244
                            SHA-256:665C3051198BE384BB389419332CF237330773AA2AA742191D11A1C5FEC86A33
                            SHA-512:672B03FEA8B2349AB68FEF2A9779026CEE8EED219AF55828141E287B7AA09E9193C4C5ABE28CF7863C96A97B5110C38E35101140A09DAAF3041DB8C239FB076F
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.2.4.1.0.3.8.6.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.2.6.2.6.0.1.1.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.5.9.7.f.3.f.-.1.7.d.1.-.4.7.0.6.-.a.c.3.a.-.8.1.8.b.c.2.e.3.6.9.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.2.1.2.2.0.9.-.2.9.d.8.-.4.7.a.a.-.a.5.7.2.-.d.0.6.9.4.2.0.a.3.0.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.c.-.0.0.0.1.-.0.0.1.d.-.6.d.7.f.-.5.e.9.d.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cea2a2fe15aa5cb6ac4fab24968c1bdb7c503f_82810a17_1b5d4acc\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.994845360962235
                            Encrypted:false
                            SSDEEP:192:nNeihA0oXB5jed+pYkO/u7sNS274ItWc:QihWXfje6O/u7sNX4ItWc
                            MD5:03DBE13E9E4E747416177C0264F02064
                            SHA1:000143F745EDD67B3D4B9113CC6E50918DD96EAF
                            SHA-256:DC3F56F8AA87880004A651C49BCF58C0E1075A8647244836EDB96158A21C37DE
                            SHA-512:BF2C1F47AC484C50C6FB2278FFBA3954427CAEACB2DBC6163242F22558FDC0C39A1505C485D90079FBFD9D27DA2F74AE1CE3B589F416A9EAC0971A593DF42A81
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.7.2.0.2.8.6.1.2.1.9.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.7.2.0.3.2.1.7.4.6.7.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.9.2.0.a.6.1.-.5.1.f.d.-.4.b.a.2.-.9.3.6.6.-.9.2.b.f.b.6.b.e.a.d.2.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.b.d.0.3.7.f.-.f.f.a.a.-.4.7.0.d.-.8.f.9.c.-.8.4.f.a.7.1.9.6.e.b.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.c.-.0.0.0.1.-.0.0.1.d.-.6.d.7.f.-.5.e.9.d.0.e.4.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2756.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Sat Mar 26 12:40:25 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):47494
                            Entropy (8bit):2.259037977574396
                            Encrypted:false
                            SSDEEP:192:ujLG0tna71p9XOO5SkbFtPykPbGDZB1jHLS2XLc5E+44TCed:Qnapp/5LbF1ykjG9B1LOSb2V
                            MD5:6ED568FF4A9A2140CD1AAC113954BECA
                            SHA1:3E58B539E6ED5F45D4CFB961627C4B5C26B06A24
                            SHA-256:4ABCFA02C24FD91AF466B7AAB10DD312CFA71F3BB6B7BCD627ECCA037FEBB36D
                            SHA-512:EF035D7C09153B0D4E34DF71C06DAD26112D30EA79A365A6BF86F63BCC1C2870E3210E9051FABD8F147721EC58BE7D2F5D6799411F016F83E1730A214FC0EF7F
                            Malicious:false
                            Preview:MDMP....... .........?b........................................B6..........T.......8...........T...........................\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.......l.....?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A44.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Sat Mar 26 12:40:25 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):49846
                            Entropy (8bit):2.113025082371615
                            Encrypted:false
                            SSDEEP:192:u7/KG0tnrhxaf9dO5SkbT4niPQLrNqIjhuWc0IZLVbn+dhq:umnrF5LbT4npNr9uBPbh
                            MD5:A46206B09988CEB77222ECF8A62CA17F
                            SHA1:DD12D54E71F795826AB9527B2AB402E40C54CFBF
                            SHA-256:0527D59B9452B1A449D354D155B3C19FD30F1F788FFEE04BBD36656FAC018674
                            SHA-512:D9E6F1AEB2E9D0267DEA087211D0599B482C1752D59349D5A1917FA79365F766F6258E8C190E09DA377A0D88D916FBD9E7DF751E7CFEDFAA92ABA88D2692D99B
                            Malicious:false
                            Preview:MDMP....... .........?b........................................B6..........T.......8...........T..........................\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.............?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CA6.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8384
                            Entropy (8bit):3.6969809590440303
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiYY6i46YOw6DCgmfTnScCprRD89bnYsfF1tm:RrlsNiP6i46Yh6GgmfTnS9UnLfFO
                            MD5:34C399A9DEFC2AA452229187CCAC7F67
                            SHA1:91095C177571C4A66C91A79E5515F0547AF73D4D
                            SHA-256:156E8A34FB6A929D044212ADEA7C98EC6C9010F48E09C66D5E56BB9C6C468285
                            SHA-512:D54054E80B9F918B163835D30F5B170661C2389136E2690718BEB68443DE8F6BE276E3E83950C768C683573D32DBA51859C8F1408BC4A26E9D160B6AA080C7C7
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.0.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DFF.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4706
                            Entropy (8bit):4.492701093499384
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsEJgtWI9lxWgc8sqYjK8fm8M4JCds+PYpF8km+q8/5P+Nc4SrS4d:uITfCOggrsqYjJu6meFDW4d
                            MD5:48C89E90E4274180FAB0DE98D52AB671
                            SHA1:93ADDCABEC5AE497C9E11DD02E3558CC6A97486E
                            SHA-256:64B52F23501DD25B91B81633E5113EF966B81C87AAE527F9665E60109781A65E
                            SHA-512:502ADB8A7B2B6E114258DD0428BD64A05FE844BA81D28305B301CFB28239893141152E9D2362D438763EBCD11EC91D8B7E22F208312E75653D390776A0857FF3
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444191" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F85.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8448
                            Entropy (8bit):3.693024953479299
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiD06nc5F6YOG6DCgmf8lScCprRq89bspsfREm:RrlsNiw64F6YH6Ggmf8lS9TsCfH
                            MD5:E51F15F8B9D79CF1D8DAE023107F9358
                            SHA1:713A1483A628F65ACA57983E99C0DA633FFF4BE4
                            SHA-256:1E3F9343BD16B112343F26DCB21C52D61901EF6351A77CF6F7EAD6CEDA282477
                            SHA-512:1A60272FE33690D6B9A742D2B95EDD6BE10A740A94305935DF75108EE1E6192AC92D3820D47F4E0E84CD11B45BD5F3BF6247F14280C6DDF18C32B484EC8E559D
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER30ED.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4807
                            Entropy (8bit):4.48204889237887
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsEJgtWI9lxWgc8sqYje8fm8M4JCds+PYOFa+q8vjs+PY74SrSmd:uITfCOggrsqYPJuKKjMDWmd
                            MD5:D4DF11790B8D96D27A9370AA48A3FFAA
                            SHA1:67F06783CBDB89E53CD256DAAEBBD469EC02413C
                            SHA-256:89FBF0E1C76A9F57819574D4838EE786E9B7041B98DA328BB5ADD1094E63DDCF
                            SHA-512:AD3109092CD9633EDE3B1D7CBFF2927522DB3A1B24B8BB90B358679F4CA86B327E9CE9E8C24E11E75B6A2B4AA3AAC6FCA8A4F8DAF87844AE4BB0EC2617FE8ACC
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444191" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER364.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8448
                            Entropy (8bit):3.6950634114734386
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiEi60/6YOG6DCgmf8lScCprG89btIsfUPm:RrlsNip60/6YX6Ggmf8lSLt7fh
                            MD5:11AEC94EDFC10126FBAA3A647B5E0041
                            SHA1:92A39D7AB7A27F1E31D0658226CEB52354BE22E0
                            SHA-256:A341BB479E19A871808B02BFD1DE3EB17B86FD014656C0821C0F910632E33857
                            SHA-512:7616A7DB5095B8DAEE451C3356E0A898E602DE643E3D32C31887C2EB59886F7409805A44FB01093BB27FF3B4486F91FD6709274ACBAA01DDC338A5D0CF1E9F52
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.8.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER38FA.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Sat Mar 26 12:40:29 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):23270
                            Entropy (8bit):2.603114426663788
                            Encrypted:false
                            SSDEEP:96:5n8o8w/rckNV70s2OF1Soi75SkNnus95gEFwl/vWInWIX6puIjN4mic5fg03PPiR:u8rckD70s2217O5SkbFKKL4w5fTfwNF
                            MD5:F7DB728A37FA1D77CFA3FC67693A7BC0
                            SHA1:DD926274B14866020E81DBB7727969E32EB2505E
                            SHA-256:F3A5320895E811F0E81ED5A9D1157C0C36D6C53C4FE3FDFBEA01D4EC29AAD932
                            SHA-512:F04F3242E08D5E7E7CC46F7E1611D9475E4F52DDFB19567FC400B8264F7CC2A18A7E90650F585800733343797FC284DB5E3747942FC21A39AFDCC271F1172229
                            Malicious:false
                            Preview:MDMP....... .........?b............4...............<.......$...~-..........T.......8...........T................>........... ..........."...................................................................U...........B.......#......GenuineIntelW...........T.......l.....?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DAE.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):7996
                            Entropy (8bit):3.698663439513071
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiYZ6n2s6YOS6DCgmfTnSbCpr689bLosf0x5m:RrlsNiO62s6YT6GgmfTnS4Lbfr
                            MD5:A77FFFADB2F4B09B3C3C1F0A5B651D9E
                            SHA1:A9B6A6CD9680AAA29B3F0500C52C7394D61D6FE9
                            SHA-256:9E6FB269752ADC235F158C649C4D9F52525C142B582C3B18305BA665ABA69667
                            SHA-512:1A2AD48A60166AF88CF908333B1C5019F1B06418680D30D3E09B7B344BC5E663C5489CB643A39F81D28C3FD9108B3A04BF41B40DF894199997C5F91DA7A71CF6
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.0.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4204.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4706
                            Entropy (8bit):4.494737866764452
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsEJgtWI9lxWgc8sqYj/8fm8M4JCds+PYpFcCl+q8/5P+Nc4SrS4d:uITfCOggrsqYwJuDCleFDW4d
                            MD5:BB2B5C74D66474EF8568084187D456BB
                            SHA1:CB7B605DEF1F7290DB89A303F653E5AD0CAF8E86
                            SHA-256:5463087D6758D2C17961A9898C0757A1A56532F3AA9687C9BD14659610A99A6E
                            SHA-512:41D7A6A1F19788FABD23D9A62A7BB4280164A8C3BAB0375932ED157D077FCCD06275D74E3B51E7B85D3D42DF68186BED45DA2E1380E13B9C61969C690BB45BCC
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444191" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4BD.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4807
                            Entropy (8bit):4.480460095216683
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsrJgtWI9lxWgc8sqYjm8fm8M4JCds+PYOF4x+q8vjs+PYRG4SrSOd:uITfFOggrsqYnJuGKjEGDWOd
                            MD5:C84E03AC1A295D8002B267FA753E997E
                            SHA1:247FE2406816C72753A8DE61630BA9FF9F167E75
                            SHA-256:5A464C9965686627542313EC8D2F67566E0D17494ECEBCE4F8DA581FB8198602
                            SHA-512:CDE40D25275ABA7F4150AAD3F01F650DE45001AAE8ACA04838808819F13CB5E1A9FCF9916F4DB675C6E913468F930F83C3391230BD3334255269BCF2DA5B7BEE
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444190" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA11.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Sat Mar 26 12:40:05 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):50278
                            Entropy (8bit):2.1562347344373483
                            Encrypted:false
                            SSDEEP:192:yjQG0tnb31q6O5SkbT3NnfVB6eBmmJ/h+kJz4nIDncdGDX:vnblM5LbTdnfv0O/h+kJZcE
                            MD5:88E419D1D933C4338BE42486E8224651
                            SHA1:9CD31F71BDDDDC31906E4BDF99C84041C963251A
                            SHA-256:7F9636485AFC95CECF5F907C74E5CBAA726E695E85EDE838434EB03EBDBCA3AC
                            SHA-512:5A5C72E7C9067DF077D2AE5D993155CA274AF2544F8FF9D8B0E976560443F61DCFC518007E1F825A5ED1A6F5A564EFCA36ECC7A798234C2EB9669F94C2D656F3
                            Malicious:false
                            Preview:MDMP....... .........?b........................................B6..........T.......8...........T...........................\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.............?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDADC.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Sat Mar 26 12:40:08 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):48314
                            Entropy (8bit):2.183553233943976
                            Encrypted:false
                            SSDEEP:192:raXlTG0tnJ31JVcO5SkbTT6FRZ+PU1kbb1aF5npQYt/nA8RmjEnANwO:U7nJlJ55LbTTUHMikborpQYt/n
                            MD5:3CCDE2EF9C2E47B686EE33DDF55B9C95
                            SHA1:822F827A4741A10CDCA2611193D318EF843B85D5
                            SHA-256:AC9F65E17F68A0CC481E478463FE025E09E8285446C599B33315463C57358045
                            SHA-512:4EF26207923ECA9B4FDE8D3B52954A16095F84B7645C1439F702E1057F2B13C2096C7ED37316F4017F932213FE7A4A67EDE789E3CB8C0899132C0232F34DDC9B
                            Malicious:false
                            Preview:MDMP....... .........?b........................................B6..........T.......8...........T...........(...............\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.............?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE08A.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8384
                            Entropy (8bit):3.69735342971905
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNiLQ6NcmcLq6YOP26DCgmfTTScCpro89buLsfkR6m:RrlsNiM6OrLq6YP6GgmfTTSRuQfkt
                            MD5:AF41DFC63A49C9C82F557C2D4FC95211
                            SHA1:E50634BD0E2FB76E09BABC185FCD74E95AB049CC
                            SHA-256:0593EB80A0FA2B9CF79FB6F758903E99ED451E706F167031737BBA279D21EAFF
                            SHA-512:978EDACB952D24B5835AF26CF4B1EBD4A87332C11FBB5B583D5D3AAB5F4ED0AFE267F74A8D96CB62A6AEB73BEF54ACDB49BC86067A4FDE93C687429252781102
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.2.4.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE27F.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4706
                            Entropy (8bit):4.493044756211852
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsrJgtWI9lxWgc8sqYjV8fm8M4JCds+PYHF/mf+q8/5P+NG4SrSh6d:uITfFOggrsqY+JuReXDWh6d
                            MD5:017800EDF380CCB486B214A6DB636336
                            SHA1:BD5D8F61E645F9E839D73334CCE6C1D850B22881
                            SHA-256:74A59DA2D5FB03BB581D21AF4C7B19105F0E6773E50DCFA481BD96F39817AE0F
                            SHA-512:EDA444FEACEB76B9AFDA2E6C20CD74B398A00A848F8CA255A66FEDCF1E75A5141DFCE136F37DECAE8C806EE417E5D768612B0D6764D09086C07CC8D4FB8738BB
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444190" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC42.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8412
                            Entropy (8bit):3.693284144053344
                            Encrypted:false
                            SSDEEP:192:Rrl7r3GLNipv6ZYi6Yjg6sQGgmf8lScCprU89bpesf5jm:RrlsNiB6ZYi6YE6igmf8lSVpdfg
                            MD5:9E7D214DCEEA94DEE22F5134AFD74CBC
                            SHA1:17E727488AD5845DDA9C7945D25EE5B627BC3096
                            SHA-256:2DB8677E4D22E60071244937D33F7E673C58CE57EA0478497E745C63F04D096B
                            SHA-512:2B5528D52D7295AF2B65342BAC6E0D368EECE6B39ECAB13E65D261136A7E45B9ACCA99F1944347ECC6AEB3DC425DEC6ADBDC2451B2DCB13EAB222B29F9AF4192
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.d.>.......

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE37.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4807
                            Entropy (8bit):4.481156285683692
                            Encrypted:false
                            SSDEEP:48:cvIwSD8zsrJgtWI9lxWgc8sqYjN8fm8M4JCds+PYOFnl+q8vjs+PYKe4SrSld:uITfFOggrsqYeJu3lKjJeDWld
                            MD5:C9C07B7CDE7B07FB54A1B653EBF7A8DC
                            SHA1:29620CFA2DE3D647C66EA18C413736A5B80FDE03
                            SHA-256:5CE38FB9032C9AE0F6EFCA6877AF79B644718AB8B63C2FF9AEADA45274946F49
                            SHA-512:24F8C8675D0291CEBAD83852C4F2E1FE43AB12932F30B7BCE0E068BCAAE87951C4D7EB12E1ABE0CD1CF08AD385BF83F5DB40A19D6D0B269521BBEC43FCDA3781
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1444190" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF00A.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 14 streams, Sat Mar 26 12:40:14 2022, 0x1205a4 type
                            Category:dropped
                            Size (bytes):50174
                            Entropy (8bit):2.1093343116646093
                            Encrypted:false
                            SSDEEP:192:dfxG0tnzjcU9Z0H8UO5SkbgGDoYEPVBMsW9PRz5w4a52FsC6HLQ6M0H:fnz79Z/5Lbg0oYEHMsWbze4aCyu0
                            MD5:336E488E7A545B9FD50D64B80F08ADA7
                            SHA1:79AC4AE1BFE8B2B40F11EA311718EEC111A92DCB
                            SHA-256:E8446BCD4AE079A421B76D692E14B071EC261B651DE6B5FE5D61C5E5B869007C
                            SHA-512:AE51E600A113F55609F8D3842BDB855FE02D4AD9452A20A09B8AC5F82D0B502567ADF248852594B1926C27340F7C536CA83D810A8A0788BE8520C4B81416C712
                            Malicious:false
                            Preview:MDMP....... .........?b........................................B6..........T.......8...........T...............&...........\!..........H#...................................................................U...........B.......#......GenuineIntelW...........T.............?b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.9496307039591185
                            TrID:
                            • Win32 Dynamic Link Library (generic) (1002004/3) 98.12%
                            • Windows Screen Saver (13104/52) 1.28%
                            • Win16/32 Executable Delphi generic (2074/23) 0.20%
                            • Generic Win/DOS Executable (2004/3) 0.20%
                            • DOS Executable Generic (2002/1) 0.20%
                            File name:SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll
                            File size:6532096
                            MD5:f37c7d5fa69ad187235a162203eacafd
                            SHA1:970f5aac456ac9e403c445bbf9eae084019b9b46
                            SHA256:4b2ff97ccb7034b07618bf9fc3e8935c233a564574ad1629280bf39e7dcb5ec3
                            SHA512:4ba025a6367907044d8a5167a00e3da0aa00c1145337b65fde7f8cd563733ab2505fdb10e1043f1a0009706777142c10ee3d0f2c913153d84860c4db471e66c0
                            SSDEEP:196608:JXj9MVF8wMg+A+ClOFWpqnhX/x3fTeIxe7tF:JNg+AVhkhXpPTe
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:74f0e4ecccdce0e4

                            Static PE Info

                            General

                            Entrypoint:0xd5c737
                            Entrypoint Section:.YPm1
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                            DLL Characteristics:
                            Time Stamp:0x623BCA07 [Thu Mar 24 01:31:51 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:0
                            File Version Major:5
                            File Version Minor:0
                            Subsystem Version Major:5
                            Subsystem Version Minor:0
                            Import Hash:ce881f62e54bb9b9c720f6ce57186321

                            Entrypoint Preview

                            Instruction
                            push FD92CA81h
                            call 00007F76CCC16215h
                            bswap eax
                            jmp 00007F76CCCEFF1Eh
                            mov ax, word ptr [ebp+00h]
                            mov cl, byte ptr [ebp+02h]
                            sub ebp, 00000002h
                            xor edx, 3FA52201h
                            setle dl
                            shl dl, 0000000Ah
                            shr ax, cl
                            cwd
                            not dx
                            xchg dh, dh
                            mov word ptr [ebp+04h], ax
                            mov edx, 340D6AF7h
                            movsx dx, bh
                            pushfd
                            and dl, dl
                            pop dword ptr [ebp+00h]
                            mov edx, dword ptr [esi]
                            add esi, 00000004h
                            xor edx, ebx
                            jmp 00007F76CCBF11DEh
                            mov eax, dword ptr [edi]
                            stc
                            mov cl, byte ptr [edi+04h]
                            cmp dx, si
                            lea edi, dword ptr [edi+00000006h]
                            mov byte ptr [eax], cl
                            adc ax, di
                            sub esi, 00000004h
                            mov eax, dword ptr [esi]
                            clc
                            cmp esi, 727F1E38h
                            jmp 00007F76CD02D3EAh
                            dec eax
                            mov edx, dword ptr [edi]
                            clc
                            shr cl, cl
                            inc bp
                            sub eax, esi
                            mov cl, byte ptr [edi+08h]
                            dec eax
                            sub edi, 00000006h
                            inc ecx
                            test al, 00000045h
                            inc ebp
                            movsx eax, sp
                            dec ecx
                            rcr eax, FFFFFFB0h
                            dec eax
                            shr edx, cl
                            inc bp
                            movsx eax, dh
                            inc sp
                            movzx eax, bl
                            dec eax
                            mov dword ptr [edi+08h], edx
                            pushfd
                            inc bp
                            adc eax, esi
                            inc ecx
                            setnle al
                            stc
                            pop dword ptr [edi]
                            stc
                            inc ecx
                            sbb al, FFFFFFCBh
                            clc
                            dec ecx
                            sub edx, 00000004h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x97040c0xbf.YPm1
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc752a00x1cc.YPm1
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe6b0000x270.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe6a0000x5ac.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xbfa0000xc74.YPm1
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc49e3c0x1e0.YPm1
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x54e5340x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .itext0x5500000x3b1c0x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .data0x5540000x2ef7c0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .bss0x5830000x98fc0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .idata0x58d0000x438c0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .didata0x5920000xc2e0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .edata0x5930000xbf0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rdata0x5940000x450x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .YPm00x5950000x29ab6f0x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .YPm10x8300000x639d400x639e00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .reloc0xe6a0000x5ac0x600False0.51953125GLS_BINARY_LSB_FIRST4.19292885743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0xe6b0000x2700x400False0.291015625data2.22312736033IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0xe6b0580x218dataEnglishUnited States

                            Imports

                            DLLImport
                            winmm.dllPlaySoundW
                            wininet.dllFindFirstUrlCacheEntryW, FindNextUrlCacheEntryW, InternetCloseHandle, InternetReadFile, FindCloseUrlCache, InternetOpenW, InternetOpenUrlW, DeleteUrlCacheEntryW
                            winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
                            comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
                            shell32.dllSHGetSpecialFolderLocation, Shell_NotifyIconW, SHAppBarMessage, SHFileOperationW, ShellExecuteW, SHGetPathFromIDListW
                            user32.dllDdeSetUserHandle, MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, DdeCmpStringHandles, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, SetSystemCursor, GetClientRect, IsChild, IsIconic, CallNextHookEx, DdeDisconnect, ShowWindow, GetWindowTextW, SetForegroundWindow, GetAsyncKeyState, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetThreadDesktop, SetFocus, ReleaseDC, mouse_event, ExitWindowsEx, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetMessageTime, DdeNameService, DdeAccessData, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DdeQueryConvInfo, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, DdePostAdvise, GetClassNameW, DdeCreateDataHandle, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, CreateDesktopW, GetWindowPlacement, CreateWindowExW, ChildWindowFromPoint, OpenDesktopW, GetMessageW, GetDCEx, PeekMessageW, MonitorFromWindow, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, DdeUnaccessData, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DdeClientTransaction, DrawFocusRect, SendInput, ReleaseCapture, LoadCursorW, DdeConnect, ScrollWindow, GetLastActivePopup, DdeUninitialize, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, DdeFreeStringHandle, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, DdeQueryStringA, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, OemToCharBuffW, ScreenToClient, DrawFrameControl, DdeFreeDataHandle, SetCursor, CreateIcon, DdeInitializeA, RemoveMenu, DdeCreateStringHandleA, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, PostMessageA, CopyIcon, PostQuitMessage, DdeGetLastError, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, MenuItemFromPoint, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
                            version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                            oleaut32.dllGetErrorInfo, SysFreeString, VariantClear, VariantInit, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType
                            advapi32.dllRegSetValueExW, RegConnectRegistryW, GetUserNameW, RegQueryInfoKeyW, CryptGenRandom, RegUnLoadKeyW, IsValidAcl, CryptReleaseContext, RegSaveKeyW, RegReplaceKeyW, RegCreateKeyExW, CryptAcquireContextW, InitializeAcl, RegLoadKeyW, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, SetSecurityInfo, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegRestoreKeyW
                            netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                            msvcrt.dllstrncmp, _stricmp, _ftol, memcpy, memset, sprintf
                            kernel32.dllSetFileAttributesW, GetFileTime, GetFileType, SetFileTime, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TlsAlloc, TerminateThread, QueryPerformanceFrequency, SetProcessWorkingSetSize, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, HeapAlloc, ExitProcess, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, DosDateTimeToFileTime, GetUserDefaultLCID, CreateProcessW, HeapSize, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, MoveFileW, RaiseException, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, GetFileAttributesExW, LockResource, LoadLibraryExW, TerminateProcess, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, SetVolumeLabelW, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, GetTempFileNameW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, GlobalLock, SetThreadPriority, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, WinExec, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, TlsFree, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, GetModuleHandleExA, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, SystemTimeToFileTime, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, GetOEMCP, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, TzSpecificLocalTimeToSystemTime, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                            SHFolder.dllSHGetFolderPathW
                            wsock32.dllgethostbyaddr, getsockopt, setsockopt, select, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, getpeername, inet_addr, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, accept, ntohs, htons, WSAStartup, getservbyname, __WSAFDIsSet, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, shutdown, WSAAsyncGetHostByName
                            ole32.dllOleRegEnumVerbs, IsAccelerator, CreateBindCtx, MkParseDisplayName, CoCreateInstance, CoUninitialize, IsEqualGUID, ProgIDFromCLSID, CreateStreamOnHGlobal, OleInitialize, CLSIDFromProgID, OleUninitialize, CoGetClassObject, CoInitialize, CoTaskMemFree, OleDraw, CoTaskMemAlloc, StringFromCLSID, OleSetMenuDescriptor
                            gdi32.dllPie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, LPtoDP, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, CreateEllipticRgn, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries
                            ntdll.dllRtlCompressBuffer, RtlGetCompressionWorkSpaceSize
                            WTSAPI32.dllWTSSendMessageW
                            kernel32.dllVirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
                            user32.dllGetProcessWindowStation, GetUserObjectInformationW, CharUpperBuffW, MessageBoxW
                            kernel32.dllLocalAlloc, GetModuleFileNameW, LocalFree, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                            user32.dllGetProcessWindowStation, GetUserObjectInformationW

                            Exports

                            NameOrdinalAddress
                            TMethodImplementationIntercept30x46cd90
                            __dbk_fcall_wrapper20x412e5c
                            dbkFCallWrapperAddr10x986640
                            rm5MLoUr43vZ510sxf6Pi40x9422e4

                            Version Infos

                            DescriptionData
                            ProgramIDcom.embarcadero.f63oC4kyXi7P1
                            ProductVersion1.0.0.0
                            ProductNamef63oC4kyXi7P1
                            FileVersion1.0.0.0
                            FileDescriptionf63oC4kyXi7P1
                            Translation0x0409 0x04e4

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:1
                            Start time:05:39:45
                            Start date:26/03/2022
                            Path:C:\Windows\System32\loaddll32.exe
                            Wow64 process (32bit):true
                            Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll"
                            Imagebase:0x11e0000
                            File size:116736 bytes
                            MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:2
                            Start time:05:39:46
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1
                            Imagebase:0xc20000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:3
                            Start time:05:39:46
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,TMethodImplementationIntercept
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:4
                            Start time:05:39:46
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",#1
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:6
                            Start time:05:39:50
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,__dbk_fcall_wrapper
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:9
                            Start time:05:39:53
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll,dbkFCallWrapperAddr
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:11
                            Start time:05:40:00
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 752
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:12
                            Start time:05:40:02
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 756
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:13
                            Start time:05:40:03
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",TMethodImplementationIntercept
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:14
                            Start time:05:40:04
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",__dbk_fcall_wrapper
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:high

                            General

                            Target ID:15
                            Start time:05:40:04
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",dbkFCallWrapperAddr
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi

                            General

                            Target ID:16
                            Start time:05:40:05
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.48713704.16555.dll",rm5MLoUr43vZ510sxf6Pi
                            Imagebase:0x10000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi

                            General

                            Target ID:17
                            Start time:05:40:08
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 748
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:26
                            Start time:05:40:23
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:27
                            Start time:05:40:24
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:29
                            Start time:05:40:27
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 752
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:30
                            Start time:05:40:27
                            Start date:26/03/2022
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 756
                            Imagebase:0x50000
                            File size:434592 bytes
                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            No disassembly