Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.dll

Overview

General Information

Sample name:1.dll
Analysis ID:1524655
MD5:bab802308f09fe74a448a04dbf742938
SHA1:ba0dc3d03b001a0b6b7f0437e6d01534dd0d947a
SHA256:9efd55e5678b0e2c419483939b7b11d9168bceeffe8cbe7d1f809b0ccd9c7fe3
Tags:dllMekotiouser-Merlax_
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6680 cmdline: loaddll32.exe "C:\Users\user\Desktop\1.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4564 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3512 cmdline: rundll32.exe "C:\Users\user\Desktop\1.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 5408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2008 cmdline: rundll32.exe C:\Users\user\Desktop\1.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 3744 cmdline: rundll32.exe C:\Users\user\Desktop\1.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6664 cmdline: rundll32.exe C:\Users\user\Desktop\1.dll,dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7216 cmdline: rundll32.exe "C:\Users\user\Desktop\1.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7224 cmdline: rundll32.exe "C:\Users\user\Desktop\1.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\1.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7256 cmdline: rundll32.exe "C:\Users\user\Desktop\1.dll",y4c1l01066ejk5s6 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 1.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 1.dllReversingLabs: Detection: 28%
Source: 1.dllVirustotal: Detection: 31%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
Source: 1.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 1.dllString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
Source: 1.dllString found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000000.00000003.1810509302.0000000004360000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1921836076.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1918374111.00000000043A3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004F53000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1954006722.0000000006690000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1739516063.0000000006030000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004AE3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1911252158.0000000006080000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004FE3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1940151086.00000000065E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1825493848.0000000006010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004FF3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1853069825.0000000006680000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1843060713.0000000005E70000.00000004.00001000.00020000.00000000.sdmp, 1.dllString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS

System Summary

barindex
PE file contains section with special chars
Source: 1.dllStatic PE information: section name: +C.[Uj
Source: 1.dllStatic PE information: section name: p0]C@L[r
Source: 1.dllStatic PE information: section name: U$fB=(Em
Source: 1.dllStatic PE information: section name: (R[.Wf)`
Source: 1.dllStatic PE information: section name: gom*c]qV
Source: 1.dllStatic PE information: section name: RJ-?J+i.
Source: 1.dllStatic PE information: section name: XL@CHYK
Source: 1.dllStatic PE information: section name: \ '[NHj
Source: 1.dllStatic PE information: section name: BL5#]r
Source: 1.dllStatic PE information: section name: N hNNs[=
Source: 1.dllStatic PE information: section name: MfO)l*Qo
Source: 1.dllStatic PE information: section name: KY<I6S'j
Source: 1.dllStatic PE information: section name: IMeQFog'
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 696
Source: 1.dllStatic PE information: Number of sections : 13 > 10
Source: 1.dllBinary or memory string: OriginalFileName vs 1.dll
Source: 1.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal80.evad.winDLL@24/17@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2008
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\y4c1l01066ejk5s6
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7216
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6664
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3512
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\416a1684-779d-4baf-839d-9b6b99032084Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,TMethodImplementationIntercept
Source: 1.dllReversingLabs: Detection: 28%
Source: 1.dllVirustotal: Detection: 31%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 704
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 704
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",y4c1l01066ejk5s6
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",y4c1l01066ejk5s6Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 1.dllStatic file information: File size 25343488 > 1048576
Source: 1.dllStatic PE information: Raw size of +C.[Uj is bigger than: 0x100000 < 0x4c3c00
Source: 1.dllStatic PE information: Raw size of BL5#]r is bigger than: 0x100000 < 0x985600
Source: 1.dllStatic PE information: Raw size of MfO)l*Qo is bigger than: 0x100000 < 0x92de00
Source: initial sampleStatic PE information: section where entry point is pointing to: MfO)l*Qo
Source: 1.dllStatic PE information: section name: +C.[Uj
Source: 1.dllStatic PE information: section name: p0]C@L[r
Source: 1.dllStatic PE information: section name: U$fB=(Em
Source: 1.dllStatic PE information: section name: (R[.Wf)`
Source: 1.dllStatic PE information: section name: gom*c]qV
Source: 1.dllStatic PE information: section name: RJ-?J+i.
Source: 1.dllStatic PE information: section name: XL@CHYK
Source: 1.dllStatic PE information: section name: \ '[NHj
Source: 1.dllStatic PE information: section name: BL5#]r
Source: 1.dllStatic PE information: section name: N hNNs[=
Source: 1.dllStatic PE information: section name: MfO)l*Qo
Source: 1.dllStatic PE information: section name: KY<I6S'j
Source: 1.dllStatic PE information: section name: IMeQFog'

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6680 base: D50007 value: E9 EB DF 1E 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6680 base: 76F3DFF0 value: E9 1E 20 E1 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2008 base: 2480007 value: E9 EB DF AB 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2008 base: 76F3DFF0 value: E9 1E 20 54 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3512 base: 30F0007 value: E9 EB DF E4 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3512 base: 76F3DFF0 value: E9 1E 20 1B 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3744 base: 2C80007 value: E9 EB DF 2B 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 3744 base: 76F3DFF0 value: E9 1E 20 D4 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6664 base: 2C30007 value: E9 EB DF 30 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6664 base: 76F3DFF0 value: E9 1E 20 CF 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7216 base: 2F10007 value: E9 EB DF 02 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7216 base: 76F3DFF0 value: E9 1E 20 FD 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7224 base: 2B60007 value: E9 EB DF 3D 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7224 base: 76F3DFF0 value: E9 1E 20 C2 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7236 base: 31F0007 value: E9 EB DF D4 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7236 base: 76F3DFF0 value: E9 1E 20 2B 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7256 base: 29D0007 value: E9 EB DF 56 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7256 base: 76F3DFF0 value: E9 1E 20 A9 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 26FC695
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2141647
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 273647B
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 21842E6
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 264A11D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 204E2AF
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1FE8FA1
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 26B7BA0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 277B354
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 21875B9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 26425E4
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2762214
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1FF2C60
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 20DAC20 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: VMware
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: vmci.sys
Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: VMware20,1
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1.dll",#1Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		1
Credential API Hooking		321
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524655 Sample: 1.dll Startdate: 03/10/2024 Architecture: WINDOWS Score: 80 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 PE file contains section with special chars 2->35 37 AI detected suspicious sample 2->37 8 loaddll32.exe 1 2->8         started        process3 signatures4 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->43 45 Tries to evade analysis by execution special instruction (VM detection) 8->45 47 Hides threads from debuggers 8->47 49 Switches to a custom stack to bypass stack traces 8->49 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 rundll32.exe 8->16         started        18 6 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->51 53 Hides threads from debuggers 13->53 23 WerFault.exe 2 16 13->23         started        25 WerFault.exe 16 16->25         started        27 WerFault.exe 16 18->27         started        process7 signatures8 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->39 41 Hides threads from debuggers 20->41 29 WerFault.exe 20 16 20->29         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1.dll29%ReversingLabs
1.dll32%VirustotalBrowse
1.dll100%AviraHEUR/AGEN.1327619

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://www.indyproject.org/0%URL Reputationsafe
http://www.movable-type.co.uk/scripts/xxtea.pdfS0%VirustotalBrowse
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU0%VirustotalBrowse
http://www.schneier.com/paper-twofish-paper.pdfS0%VirustotalBrowse
http://www.schneier.com/paper-blowfish-fse.htmlS0%VirustotalBrowse
http://tools.ietf.org/html/rfc13210%VirustotalBrowse
http://www.componentace.com1%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS0%VirustotalBrowse
http://tools.ietf.org/html/rfc4648S0%VirustotalBrowse
http://www.itl.nist.gov/fipspubs/fip180-1.htm0%VirustotalBrowse
http://www.ietf.org/rfc/rfc3447.txtS0%VirustotalBrowse
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS0%VirustotalBrowse
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.movable-type.co.uk/scripts/xxtea.pdfSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.schneier.com/paper-twofish-paper.pdfSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf1.dllfalseunknown
http://tools.ietf.org/html/rfc1321rundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfUrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.schneier.com/paper-blowfish-fse.htmlSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://upx.sf.netAmcache.hve.9.drfalse
  • URL Reputation: safe
unknown
http://www.componentace.com1.dllfalseunknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.indyproject.org/loaddll32.exe, 00000000.00000003.1810509302.0000000004360000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1921836076.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1918374111.00000000043A3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004F53000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1954006722.0000000006690000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1739516063.0000000006030000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004AE3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1911252158.0000000006080000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004FE3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1940151086.00000000065E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1825493848.0000000006010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004FF3000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1853069825.0000000006680000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1843060713.0000000005E70000.00000004.00001000.00020000.00000000.sdmp, 1.dllfalse
  • URL Reputation: safe
unknown
http://tools.ietf.org/html/rfc4648Srundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.itl.nist.gov/fipspubs/fip180-1.htmrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown
http://www.ietf.org/rfc/rfc3447.txtSrundll32.exe, 00000003.00000002.1918374111.0000000003EE1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1950947840.0000000004A91000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1908033483.0000000004621000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1937563498.0000000004B21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1850196553.0000000004B31000.00000020.00000001.01000000.00000003.sdmp, 1.dllfalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1524655
Start date and time:2024-10-03 03:28:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 51s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:1.dll
Detection:MAL
Classification:mal80.evad.winDLL@24/17@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.20
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
21:29:13API Interceptor1x Sleep call for process: loaddll32.exe modified
21:29:23API Interceptor4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a929a68fdcc8941e03529d78a1cc6cf3f25b77c_7522e4b5_23eff165-36a5-4645-8c01-cb7ba7a3f3de\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9530353072928345
Encrypted:false
SSDEEP:192:up9imOHolw0BU/wjeTXH6zuiFpZ24IO84ci:G9inIlLBU/wje+zuiFpY4IO84ci
MD5:E5668F25B7C173446A1F6987FA3CFBC0
SHA1:FE73428061EA7296DE16F4AAAF2DD7894871B3B3
SHA-256:E1B154CCF94C862F3E4C76743831AF87542FFCB6DB96C6858A4DCC864151239C
SHA-512:25AD5D41FB09215841BF4CE47D86BE5115B94FEC06D8BBFB9DB18B214275A13B69194A191CB6BE6D8B70741D5458C0ED68886923E3613B4A0F1A261F0D7CE4D1
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.9.2.2.1.7.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.9.4.8.7.3.4.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.e.f.f.1.6.5.-.3.6.a.5.-.4.6.4.5.-.8.c.0.1.-.c.b.7.b.a.7.a.3.f.3.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.8.8.1.3.a.c.-.a.4.5.2.-.4.9.5.7.-.8.d.b.d.-.e.9.1.c.1.c.4.7.9.8.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.0.8.-.0.0.0.1.-.0.0.1.4.-.f.d.1.0.-.2.b.a.4.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a929a68fdcc8941e03529d78a1cc6cf3f25b77c_7522e4b5_5b94a649-f500-4645-ab5b-c9c186f9ad7e\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9533151115483466
Encrypted:false
SSDEEP:192:DxkiNOjlw0BU/wjeTZuzzuiFpZ24IO84ci:1kiEjlLBU/wje2zuiFpY4IO84ci
MD5:81F14381E1F100C74CDD3C23F1EBC20D
SHA1:E47652437EB01478270000D6FD40A7FC85881212
SHA-256:F0958638EFA3CFACF49BFCF0003A8829DE15AF795AF46174E91F8CBB67987B6E
SHA-512:0232B3A12924C7BC96BFEFB0F56978F261EAD120214E53D4A378E6E1A8919F19394D8429A6D61EAF25581ED9DA1E900233B7D3C3C708789AF88D0C86EEC4584A
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.4.5.7.2.6.0.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.5.2.7.5.7.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.9.4.a.6.4.9.-.f.5.0.0.-.4.6.4.5.-.a.b.5.b.-.c.9.c.1.8.6.f.9.a.d.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.e.7.0.3.d.2.-.e.7.c.e.-.4.c.9.d.-.9.6.f.6.-.3.7.0.9.6.2.e.2.9.b.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.b.8.-.0.0.0.1.-.0.0.1.4.-.c.1.d.2.-.8.f.a.0.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_af7af5355f072479d1c74226c58ec7d7d507bd_7522e4b5_958bd4e3-d0f3-4338-9871-56c7d6ec4be1\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9478173885174722
Encrypted:false
SSDEEP:192:XcA2i8OB7slJ0BU/wjeTZuzzuiFpZ24IO8dci:XL2iNWlqBU/wje2zuiFpY4IO8dci
MD5:C81497766C01005AF822D66CE7E108C1
SHA1:D5693D27ABFD05651C859F86725D13550293304F
SHA-256:30B2F3FEFDEF75EFFF79689E81A94A81A71F41BA75DDCDA7A83C6FF407F21DB5
SHA-512:9340020EF9CF06D2383C8961FFE048DD571C5A9EA82F558B73D0F55C73F2AFAE576B3980437F356300809E09C1D3626B8C69619319ACE8FB9DA00D51DCB19B45
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.5.5.7.2.5.6.1.9.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.5.5.7.7.7.1.8.1.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.8.b.d.4.e.3.-.d.0.f.3.-.4.3.3.8.-.9.8.7.1.-.5.6.c.7.d.6.e.c.4.b.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.e.b.1.6.4.b.-.1.7.e.1.-.4.e.4.a.-.b.2.9.0.-.d.a.d.d.2.b.e.4.5.0.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.3.0.-.0.0.0.1.-.0.0.1.4.-.6.c.b.6.-.2.0.a.7.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_af7af5355f072479d1c74226c58ec7d7d507bd_7522e4b5_eefdfc72-540b-4461-a3e5-5b8e32e594bc\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9475142538334284
Encrypted:false
SSDEEP:192:zhwiiOQlJ0BU/wjeTZuzzuiFpZ24IO8dcio:OiDQlqBU/wje2zuiFpY4IO8dci
MD5:7855CCC88AC18D6090BC49786BC0E63B
SHA1:3F235D8CA6C2312F343B247B95051123A1829B3D
SHA-256:A4D908F4D6F1FC7826485368BC81B90F1234001FB2538CC60F55EAC8E5F07A75
SHA-512:0EFC81615FD32FC2B4F34099B203BA644C8119A8F99FC2F2A303F28FBB959D28A9B44620230F666193C9F15CF3E535263D34AE77B07BBBA0787DB7744E6D9ABD
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.4.5.1.0.4.4.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.5.4.5.2.6.0.4.4.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.f.d.f.c.7.2.-.5.4.0.b.-.4.4.6.1.-.a.3.e.5.-.5.b.8.e.3.2.e.5.9.4.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.a.9.d.9.d.1.-.b.a.b.6.-.4.9.8.f.-.a.d.2.7.-.e.1.f.c.9.1.c.d.a.7.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.d.8.-.0.0.0.1.-.0.0.1.4.-.e.4.c.4.-.8.f.a.0.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER102B.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8338
Entropy (8bit):3.6870069418391407
Encrypted:false
SSDEEP:192:R6l7wVeJPo6lLXY6YCt6VGgmf8/mprw89b3VsfAsdm:R6lXJQ6m6Y46VGgmf8/+3ufAb
MD5:95BC2EF7D16486D635A58DC81F466FEE
SHA1:E5260ADD16E182646BABA2DB562C4B5D7D59B274
SHA-256:879DDF39574354EBA5C80B49B7C10799BE8954A902B225B9CE8E9A0B78BD037A
SHA-512:F74F40E2BEA6FFBD4AB81D9FCE3A426C09A6F0D8F2DC3CFDB81428790369983DAE3A902E9E0D20262082AFBDAD8B8876AAF0421D81A4A3057181C681D477EAC6
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER104B.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4733
Entropy (8bit):4.436749892596441
Encrypted:false
SSDEEP:48:cvIwWl8zsKJg77aI98PWpW8VYcYm8M4JCdP3vFa+q8vjP30dGScSDwM6d:uIjfYI7ue7V8JyUKjuJ3L6d
MD5:C4C729E9D4CB3E61A1AFE022C2784B5C
SHA1:3BA11BEAB1AD82B58F73F956E45C52FC5F5F1E3B
SHA-256:2F41FB6DE771E45FE4ED325FF17AC0D794EA1FE3BDC271ECF47E2E45899AC110
SHA-512:C980C584BC535AA5B2445B36FAC70BD646A2156B58D8024FB59CEED178E08D437CC2CCB694A1FE6D862B428A00C01BC762FB071F893E734B7FA791A7BAC40B92
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F1C.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:29:17 2024, 0x1205a4 type
Category:dropped
Size (bytes):44288
Entropy (8bit):2.090184844242145
Encrypted:false
SSDEEP:192:RnMpq/fLXZv7cuO5H4wMKtGBj4V6di48wWqF7h:5MQ/dTcp5H9tGBj4V6di4J7
MD5:4C24ED08015844DFE90C461EA6E3A25E
SHA1:EB11912B89A2AECE0C4EE099AEAF485ACBCEF6E0
SHA-256:11DE0F98D5EA06E77DA5A6694EA02EEDB596BEE3FFC7761C1A898041C75AA082
SHA-512:81102EECE67A2862E75341F2B0B8765D95F6AAC1BE20DBF95DAD4C86723F3AA4D83FA886ED98910045A580AC50F5EDC755E4BB344A07DC19B5E366607427A3C9
Malicious:false
Preview:MDMP..a..... .......m..f........................................N/..........T.......8...........T...............H...........L...........8...............................................................................eJ..............GenuineIntel............T.......0...h..f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FA9.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8268
Entropy (8bit):3.693028892740369
Encrypted:false
SSDEEP:192:R6l7wVeJvR6QL96YyE6Al/gmfTlmprZ89bIpsf+4m:R6lXJZ6e6Yp6Al/gmfTl1ICfY
MD5:AE81886C9BAECF9D7F7DC179AB93E788
SHA1:B04620C6B53DC4828AEC18DE4450C3596CCFC68F
SHA-256:9E568D66170DF8122803BC7D2A49D73FE75BC81D5AC991D496664157506C6A5D
SHA-512:4B337F7659FE07C513C2DC89AC35968946B9ABFA7CE35DDA1648349E8D6685729435458D84E4ED775ABBCB4DD7E4D4E2169415281B875FD6F601A7A9EA4FD15A
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FF8.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4632
Entropy (8bit):4.44925827301571
Encrypted:false
SSDEEP:48:cvIwWl8zsKJg77aI98PWpW8VY5PYm8M4JCdP3wFKo+q8/9SCGScSyd:uIjfYI7ue7VMSJybo8hJ3yd
MD5:3729DB24776B8C69017A4C167D012B60
SHA1:AB890D255E90C6EDA9FB68EA0F25FDA1DC4898DD
SHA-256:5A9A522987D3B2C2DAE394AF79715D91C6E31AE8EBA23DC75724D16609509D40
SHA-512:9FA55CD392FB3FD830D2BC4A0955B3A58660A7B9353F068EA90274E496F2E9330F36DFD0FBEC1A792BA24DD7A7AA44D1F8A0AE3CD10930C4BD88937DF8A1ACA7
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBC.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:29:09 2024, 0x1205a4 type
Category:dropped
Size (bytes):45268
Entropy (8bit):1.9976571209990892
Encrypted:false
SSDEEP:192:JzMZGxT1XZ07QaO5H4yftUPehIduScn9uTqL/:BMC/yQl5H3iPeeduS/+/
MD5:653BFA5B6B39DE9368F553E9720369F7
SHA1:7B6DF0F1BB2FB3B74C665AEBFD130C98C3C0730D
SHA-256:E1F13658F44623897ED54C6E0BF1ED25B5C7736225A1E480856CABFF077180C1
SHA-512:F496B3F2AC0ACC077A7BF445CE08EE87B10E76B27CDD8D7442ADDABB245B822845FD40C6E746A7D980839F18B76442E2239AE156214AB4573E86ECB0B2221D91
Malicious:false
Preview:MDMP..a..... .......e..f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........c..f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD4E.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:29:04 2024, 0x1205a4 type
Category:dropped
Size (bytes):47048
Entropy (8bit):1.983951734449204
Encrypted:false
SSDEEP:192:kZMDN/fLXZO7ADL4O5H4uPltS0nipKW+UV:cMp/do8L/5HHltRiUw
MD5:126FF90BDA0DEB95CA7171516AC0D5FD
SHA1:9F87A1A8DF79807AD93477A0239AE35397819522
SHA-256:2FF9228BD0FEB361120F2D28F016BE0F764978B8868483BC6ED3206A7F0A3229
SHA-512:204CF2002BCEF1023FBFCF832D46DC665939DE2C111972767CB016F8A382427DC38904CBCF309415A011E66D4BBC2E02F1287FA8F9E2D9E4B889FC31A3538B9C
Malicious:false
Preview:MDMP..a..... .......`..f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........]..f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDAB.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:29:04 2024, 0x1205a4 type
Category:dropped
Size (bytes):46872
Entropy (8bit):1.9516981223556915
Encrypted:false
SSDEEP:192:krnMS//fLXZK7wO5H4Z6Rmu97ddM/IK9ZsSv4:MnMU/d8H5HK65ZdM/pv
MD5:756CDBEA21157155487AB350FE474A64
SHA1:959200924E293685EF8135CBB01EC3EA082EB77A
SHA-256:18D5B831A5F493D0DDBDC0337DA8F9B58B4D942F5001EAD8DDCA976995A5AAC1
SHA-512:F8CB7E2F2BE5899A58A94B1FBD947A9EDAF87E005CD0A8CC1BC1E07232D940AA53E4AFBCD0A9D11176A3E924512BBE6495E894FB6D7780B5428A29941AC27F70
Malicious:false
Preview:MDMP..a..... .......`..f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........]..f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE87.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8324
Entropy (8bit):3.687648817826524
Encrypted:false
SSDEEP:192:R6l7wVeJatB64Lg6Yo+6+gmf8/mprp89bSisfxmm:R6lXJ26b6Yx6+gmf8/FShfZ
MD5:FF04A9793C19BF55084B92333041E58D
SHA1:A89FAFB02DBDF048A98398DA6CA6AE65629B69F5
SHA-256:9F982C94DA5B61695BA442CC927AD9BAE7F7D6D1D9D8569833210DCE0192FED8
SHA-512:6A3FBC3F3593880A60A25B3A79E500ABF1E4735814CDD7AC75A88BB96FD1CFBB3BCF10BA5B5F309B3E7D97E343185A5B960668A92206CFCF5D4F79979C134765
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA6.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8274
Entropy (8bit):3.6892890120890507
Encrypted:false
SSDEEP:192:R6l7wVeJHz63LR6YCB6fGgmfTlmprw89bSksfW3mm:R6lXJT6d6YU6fGgmfTl+SXfm
MD5:E8FAE644F97A541BAA76E51FF835D1BE
SHA1:BCF003225AA5EFBDBDE46E1EC21B716BD37037D6
SHA-256:4A01C837883963D192F4C113BC06C6E1987CF8FE1AA1A72C64CFF4B694FB59E6
SHA-512:88F24B9E2064E6868EFED1DF5DFA506AE43EF1A42670374C0DB82A1F9D91B33054E982DB9E1C1B4502AD67B204D13C9B91E3335BE4419D0B9869EE87FC3304A0
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC7.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4632
Entropy (8bit):4.448039384210931
Encrypted:false
SSDEEP:48:cvIwWl8zsKJg77aI98PWpW8VYCYm8M4JCdP3wF0+q8/9SBoGScShhd:uIjfYI7ue7VqJyZ8ooJ3hhd
MD5:D254D2368A4B73CD8F2BF1D508DE4B62
SHA1:0EBE99008439E32D7DE20FB508080166BC4B0A53
SHA-256:91B69CA34347A8524D3408D15ED83ADC468EAC5567038B5B785743C2FEA6FF4E
SHA-512:A084DADC1011295B5E958C0798C55F551EB1CADBC7875D4955BE9BFF56C6BB317BA0AD49D13BE01545BF73E9B259754C5CAC7A44E53F47E01D709162AF52350D
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFED6.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4733
Entropy (8bit):4.436225910691868
Encrypted:false
SSDEEP:48:cvIwWl8zsKJg77aI98PWpW8VY25Ym8M4JCdP3vF7+q8vjP33GScSgd:uIjfYI7ue7V+JyxKj3J3gd
MD5:00B8B1CDC6186A9F5D9FD48EA005A686
SHA1:9012020C7F8983822E5165605BE0D1B6B814E608
SHA-256:23132D311E087133AD495016E33AD4D57FC590816D9F16D85FF61804CE847782
SHA-512:A359C1728E2591EC6ACE0DC6FD03806CD3170697D8BD2D4BF32A245453246F7F5A87E4BBA33D925D47802C2A779ACC21CD1793B71CA3F9BC65D751BA7C719CC6
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.466228834394924
Encrypted:false
SSDEEP:6144:LIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:MXD94+WlLZMM6YFHT+G
MD5:D8AD75C70FF63F039D8556A9245C5C40
SHA1:FE4A5FAA818FE6679322FA180728287B7E4AED9A
SHA-256:192384791BCC0377EB424F84EA3B3972400CABDE70404CDF2049D6109D5AEDC1
SHA-512:40AE96C10CDEAE98AC964EB069A733A7E4CD53AEC224B0050FF84D815F9A14CF277FB0EBBDCB76C96753B1D25570A1BD8F69B2251508376F137DBE2DC705C649
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....3...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.395081709476415
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
  • Win16/32 Executable Delphi generic (2074/23) 0.21%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:1.dll
File size:25'343'488 bytes
MD5:bab802308f09fe74a448a04dbf742938
SHA1:ba0dc3d03b001a0b6b7f0437e6d01534dd0d947a
SHA256:9efd55e5678b0e2c419483939b7b11d9168bceeffe8cbe7d1f809b0ccd9c7fe3
SHA512:0b4997889894e71b2fd7d4a5d00991f64ada7c71f2ed98f05831255e4cd04144f7911410d53b89c533713d92bb4e7323eed96e59ecc07d4567053c026ee0326e
SSDEEP:393216:ApJwSi0umuCtK4KI8YxCYOMbvE9hMTz4KvdAF+m0zAIwmJ:mwSi0uiZ3OMbE92hdS+mp
TLSH:AD47025775CA40BAD4C61D35873BA3DA267BB6732A41CC362FD0380C9E31FA1663A953
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x13afb33
Entrypoint Section:MfO)l*Qo
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x66F6D6C0 [Fri Sep 27 16:01:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:ee93a244a88e1d813de73a39466e183e

Entrypoint Preview

Instruction
call 00007FB820B2922Dh
and ax, dx
push ecx
not ax
sar cl, FFFFFFA7h
mov word ptr [esi-02h], ax
mov edx, ecx
mov eax, dword ptr [esp+04h]
adc eax, FFF7F6F4h
jmp eax
inc cl
dec edx
ror edx, 1
dec cl
push eax
neg edx
pop eax
xor edx, 01185F9Ah
bswap edx
not ax
or eax, C9B8028Eh
lea edx, dword ptr [eax+edx-0E0224E1h]
cmovo eax, ecx
add dword ptr [esp+01h], ecx
bswap edx
not edx
cwde
adc edx, 11A47F1Dh
shl ax, 0061h
and cl, 00000025h
xchg eax, ecx
xor ebx, edx
not cx
jmp 00007FB8211AF305h
mov dword ptr [esp+00h], ecx
add cx, word ptr [esp+00h]
mov byte ptr [eax], dl
mov edx, dword ptr [edi+06h]
xor ecx, ecx
xor edx, ebx
sar dword ptr [esp+ecx*2], FFFFFFDAh
and cx, word ptr [esp+ecx*2+02h]
movzx eax, cl
ror edx, 02h
neg edx
and ecx, A0BCE590h
not edx
rol byte ptr [esp+ecx+02h], FFFFFFC1h
sbb edx, ecx
neg ax
inc dword ptr [esp+ecx]
neg edx
add ax, ax
xor ebx, edx
bswap ecx
bt eax, eax
adc ebp, edx
sar eax, FFFFFFB6h
movzx edx, byte ptr [ecx+edi+0Ah]
sal ecx, 21h
bts ecx, eax
xor dl, bl
sub dl, 00000007h
xor byte ptr [esp+ecx*8-08h], ah
ror dl, cl

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x4f30000xbaXL@CHYK
IMAGE_DIRECTORY_ENTRY_IMPORT0x10c81400x17cMfO)l*Qo
IMAGE_DIRECTORY_ENTRY_RESOURCE0x17aa0000x2adf8KY<I6S'j
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x17d50000x65f4cIMeQFog'
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xe7b0000x94N hNNs[=
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xf2616c0x1e0MfO)l*Qo
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
+C.[Uj0x10000x4c3a4c0x4c3c0049b5e47d8f6f16ac4a63b6694fd6c7ecunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
p0]C@L[r0x4c50000x3a400x3c00a765b992c769403171e9d8a72e016e69False0.4921875data6.030681066668675IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
U$fB=(Em0x4c90000x19d4c0x19e00839ebadba704cbb535d4d3f1174e1b50False0.4624471618357488data6.768392800578501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
(R[.Wf)`0x4e30000x9c380x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gom*c]qV0x4ed0000x451a0x4600d71f646a9f35d9c5782fbc34c9071756False0.9597098214285714data7.863136578302134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
RJ-?J+i.0x4f20000xd840xe002bf045b696ead4c862b3977627e9852fFalse0.3462611607142857data4.352581065931013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
XL@CHYK0x4f30000xba0x200a1b37aaf831f6a1ae7dd0b20494b60ccFalse0.318359375data2.3556432330648196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
\ '[NHj0x4f40000x450x2004ae75964954652113b5bc6e6bf8e2eecFalse0.158203125ASCII text, with no line terminators1.1775367479159162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
BL5#]r0x4f50000x98549b0x9856000cd7b878d67d0f5a3efcacf65cb35fc6unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
N hNNs[=0xe7b0000xac0x200732b6ec094c5111bdce78f30d26a018dFalse0.19921875data1.1665541472760406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
MfO)l*Qo0xe7c0000x92dd100x92de001180d30c57831354590970528c74b58funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
KY<I6S'j0x17aa0000x2adf80x2ae00067727187fec35ed7941a23969e3812cFalse0.21616481413994168data5.335047881173322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
IMeQFog'0x17d50000x65f4c0x66000162ad8d86066ae5a2035b0fa817d4664False0.5824477251838235data6.7328630794729065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_CURSOR0x17ac3fc0x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ac5300x134dataEnglishUnited States0.4642857142857143
RT_CURSOR0x17ac6640x134dataEnglishUnited States0.4805194805194805
RT_CURSOR0x17ac7980x134dataEnglishUnited States0.38311688311688313
RT_CURSOR0x17ac8cc0x134dataEnglishUnited States0.36038961038961037
RT_CURSOR0x17aca000x134dataEnglishUnited States0.4090909090909091
RT_CURSOR0x17acb340x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
RT_CURSOR0x17acc680x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17acd9c0x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17aced00x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad0040x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad1380x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad26c0x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad3a00x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad4d40x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad6080x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad73c0x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad8700x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17ad9a40x134dataPortugueseBrazil0.12012987012987013
RT_CURSOR0x17adad80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
RT_BITMAP0x17adc0c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
RT_BITMAP0x17adddc0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
RT_BITMAP0x17adfc00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
RT_BITMAP0x17ae1900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
RT_BITMAP0x17ae3600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
RT_BITMAP0x17ae5300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
RT_BITMAP0x17ae7000x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
RT_BITMAP0x17ae8d00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
RT_BITMAP0x17aeaa00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
RT_BITMAP0x17aec700x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
RT_BITMAP0x17aee400xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
RT_BITMAP0x17aef000xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
RT_BITMAP0x17aefe00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
RT_BITMAP0x17af0c00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
RT_BITMAP0x17af1a00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
RT_BITMAP0x17af2600xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
RT_BITMAP0x17af3200xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
RT_BITMAP0x17af4000xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
RT_BITMAP0x17af4c00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
RT_BITMAP0x17af5a00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
RT_BITMAP0x17af6600xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
RT_STRING0x17af7400x30cdata0.3923076923076923
RT_STRING0x17afa4c0x534data0.3506006006006006
RT_STRING0x17aff800x62cdata0.29430379746835444
RT_STRING0x17b05ac0x904data0.292894280762565
RT_STRING0x17b0eb00xbf0data0.21727748691099477
RT_STRING0x17b1aa00x4c4data0.38688524590163936
RT_STRING0x17b1f640x474data0.4043859649122807
RT_STRING0x17b23d80xff4data0.2051909892262488
RT_STRING0x17b33cc0xa94data0.31056129985228953
RT_STRING0x17b3e600x9fcdata0.3227699530516432
RT_STRING0x17b485c0x918data0.27963917525773196
RT_STRING0x17b51740x6e8data0.3003393665158371
RT_STRING0x17b585c0x52cdata0.3935045317220544
RT_STRING0x17b5d880x378data0.38738738738738737
RT_STRING0x17b61000x518data0.3688650306748466
RT_STRING0x17b66180x3d8data0.40040650406504064
RT_STRING0x17b69f00x404data0.3959143968871595
RT_STRING0x17b6df40x3a0data0.4040948275862069
RT_STRING0x17b71940x40cdata0.4015444015444015
RT_STRING0x17b75a00x3f8data0.42322834645669294
RT_STRING0x17b79980x374data0.39819004524886875
RT_STRING0x17b7d0c0x378data0.33783783783783783
RT_STRING0x17b80840x2e0data0.4470108695652174
RT_STRING0x17b83640x3d8data0.3333333333333333
RT_STRING0x17b873c0x448data0.37135036496350365
RT_STRING0x17b8b840x438data0.37592592592592594
RT_STRING0x17b8fbc0x3a4data0.34012875536480686
RT_STRING0x17b93600x3f8data0.4104330708661417
RT_STRING0x17b97580x184data0.5463917525773195
RT_STRING0x17b98dc0xccdata0.6666666666666666
RT_STRING0x17b99a80x1e0data0.5145833333333333
RT_STRING0x17b9b880x288data0.49074074074074076
RT_STRING0x17b9e100x35cdata0.3953488372093023
RT_STRING0x17ba16c0x3c0data0.371875
RT_STRING0x17ba52c0x410data0.3903846153846154
RT_STRING0x17ba93c0x564data0.32463768115942027
RT_STRING0x17baea00x2dcdata0.3483606557377049
RT_STRING0x17bb17c0x3b8data0.4275210084033613
RT_STRING0x17bb5340x410data0.3817307692307692
RT_STRING0x17bb9440x608data0.31865284974093266
RT_STRING0x17bbf4c0x420data0.4128787878787879
RT_STRING0x17bc36c0x4a0data0.32094594594594594
RT_STRING0x17bc80c0x3b0data0.3792372881355932
RT_STRING0x17bcbbc0x404data0.36770428015564205
RT_STRING0x17bcfc00x350data0.3867924528301887
RT_STRING0x17bd3100xd4data0.5283018867924528
RT_STRING0x17bd3e40xa4data0.6524390243902439
RT_STRING0x17bd4880x2dcdata0.46311475409836067
RT_STRING0x17bd7640x458data0.29856115107913667
RT_STRING0x17bdbbc0x31cdata0.42462311557788945
RT_STRING0x17bded80x2e8data0.3736559139784946
RT_STRING0x17be1c00x398data0.29891304347826086
RT_RCDATA0x17be5580x10data1.5
RT_RCDATA0x17be5680x1884data0.5595920968769917
RT_RCDATA0x17bfdec0x2dataEnglishUnited States5.0
RT_RCDATA0x17bfdf00x2f2Delphi compiled form 'Tcpccf4dy28ay0ime16i6341k3m12j8m2fwm3'0.6087533156498673
RT_RCDATA0x17c00e40x1da9Delphi compiled form 'Teedsq9y3k6h7fqdmpmjoi20i8f0dlk47f89g1afc'0.26642960621625184
RT_RCDATA0x17c1e900x1423Delphi compiled form 'Tfgq8m8a446bg4wy1457eazk1m0y37043so'0.26479146459747815
RT_RCDATA0x17c32b40x442Delphi compiled form 'Tfm671o90lf0909i060i854y0m30ig'0.5577981651376147
RT_RCDATA0x17c36f80x167dDelphi compiled form 'Thh2l253fep20slol8aec510061uz60pz'0.29338196977592496
RT_RCDATA0x17c4d780x14bDelphi compiled form 'Thx6z45x0q40rwn2iwoz3nnon8l1ei8j'0.7522658610271903
RT_RCDATA0x17c4ec40xd02Delphi compiled form 'Tit436pl2720jd3y3og06oxhp0d3qz263zq5506s0h'0.35585585585585583
RT_RCDATA0x17c5bc80xb78Delphi compiled form 'Tiy7o4hn2agx0l8zmp6s0pcq2g3a900o69lf'0.38521798365122617
RT_RCDATA0x17c67400x42c2Delphi compiled form 'Tjf4e58tak4scd22nfssz0705716bulmauyz0q'0.20942071386775893
RT_RCDATA0x17caa040xf8eDelphi compiled form 'Tmeaz1hc1f08lxr60uqg54pj81l87ugca02azpj'0.3528377699648418
RT_RCDATA0x17cb9940x19e0Delphi compiled form 'Tqkiaikgfsjjp0lte3g327xhqo2l5rp1pj'0.4394625603864734
RT_RCDATA0x17cd3740x1148Delphi compiled form 'Tqkzyqe451b8h95d2p817d5400uk4uf8x4070'0.3141952983725136
RT_RCDATA0x17ce4bc0x1084Delphi compiled form 'Tqqs7g5y4l8yh03kwrtp8g9445c7l370177'0.31385998107852414
RT_RCDATA0x17cf5400x15ddDelphi compiled form 'Tsy7100e10yhxw7042098tk4sis3o3u10m03p4n'0.2969447918527783
RT_RCDATA0x17d0b200xff6Delphi compiled form 'Ttn6d2ii4pg00mjqx1s1tsa156480yyo68e'0.2887909936368086
RT_RCDATA0x17d1b180x126bDelphi compiled form 'Tucm29h8565hf56msrh11l23h0ad9chc39t431'0.3130434782608696
RT_RCDATA0x17d2d840x395Delphi compiled form 'Twcm3x0eo6z071s73863e9hsc0bhob7n68owa'0.5899672846237731
RT_RCDATA0x17d311c0x540Delphi compiled form 'Txjkzfzj192m190muet04fgh7osy98a3ad35tlen'0.5691964285714286
RT_RCDATA0x17d365c0x80aDelphi compiled form 'Txodz8nq5gn249zp0144h08e62h3e7hx0nn8fr0'0.49611273080660834
RT_RCDATA0x17d3e680xaaaDelphi compiled form 'Txp8061h9e024jo8p18eipczo57ws4p45sl9m'0.4117216117216117
RT_RCDATA0x17d49140x13cDelphi compiled form 'Tzrk0k1l022b7r8b42i0r4t0xj40a28lyel13176e'0.7373417721518988
RT_GROUP_CURSOR0x17d4a500x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.25
RT_GROUP_CURSOR0x17d4a640x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4a780x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4a8c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4aa00x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4ab40x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4ac80x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4adc0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4af00x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4b040x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4b180x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4b2c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4b400x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
RT_GROUP_CURSOR0x17d4b540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x17d4b680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
RT_GROUP_CURSOR0x17d4b7c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x17d4b900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x17d4ba40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x17d4bb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x17d4bcc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_VERSION0x17d4be00x218dataEnglishUnited States0.47947761194029853

Imports

DLLImport
winmm.dllPlaySoundW
wininet.dllInternetCloseHandle
winspool.drvDocumentPropertiesW
comctl32.dllImageList_GetImageInfo
shell32.dllSHGetSpecialFolderLocation
user32.dllDdeSetUserHandle
version.dllGetFileVersionInfoSizeW
oleaut32.dllGetErrorInfo
advapi32.dllRegSetValueExW
netapi32.dllNetWkstaGetInfo
msvcrt.dllmemcpy
winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
kernel32.dllGetVersion, GetVersionExW
SHFolder.dllSHGetFolderPathW
wsock32.dllgethostbyaddr
ole32.dllOleRegEnumVerbs
gdi32.dllPie
ntdll.dllRtlCompressBuffer

Exports

NameOrdinalAddress
TMethodImplementationIntercept30x46ef38
__dbk_fcall_wrapper20x412fcc
dbkFCallWrapperAddr10x8e6640
y4c1l01066ejk5s640x8b6b44

Possible Origin

Language of compilation systemCountry where language is spokenMap
PortugueseBrazil
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 3, 2024 03:29:21.608484983 CEST53586121.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:21:29:01
Start date:02/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\1.dll"
Imagebase:0x5e0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:1
Start time:21:29:01
Start date:02/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:21:29:01
Start date:02/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:21:29:01
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\1.dll,TMethodImplementationIntercept
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:4
Start time:21:29:01
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\1.dll",#1
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:8
Start time:21:29:04
Start date:02/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 696
Imagebase:0xc30000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:21:29:04
Start date:02/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 704
Imagebase:0xc30000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:21:29:04
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\1.dll,__dbk_fcall_wrapper
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:11
Start time:21:29:07
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\1.dll,dbkFCallWrapperAddr
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:13
Start time:21:29:09
Start date:02/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 704
Imagebase:0xc30000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:21:29:12
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\1.dll",TMethodImplementationIntercept
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:15
Start time:21:29:12
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\1.dll",__dbk_fcall_wrapper
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:16
Start time:21:29:13
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\1.dll",dbkFCallWrapperAddr
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:17
Start time:21:29:13
Start date:02/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\1.dll",y4c1l01066ejk5s6
Imagebase:0x150000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:19
Start time:21:29:17
Start date:02/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 696
Imagebase:0xc30000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

No disassembly