Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4.dll

Overview

General Information

Sample name:4.dll
Analysis ID:1524656
MD5:7c8aa0252ec1f69683f1913ddb959cc8
SHA1:10a96703723cb4004f5100c2ae2b6473d3148a41
SHA256:357a4d81993b49f5e3dd31338423e5272deca88a44b5fbd9d630d1d7d1a712b1
Tags:dllMekotiouser-Merlax_
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6420 cmdline: loaddll32.exe "C:\Users\user\Desktop\4.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7016 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7012 cmdline: rundll32.exe "C:\Users\user\Desktop\4.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 5416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6696 cmdline: rundll32.exe C:\Users\user\Desktop\4.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6068 cmdline: rundll32.exe C:\Users\user\Desktop\4.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6592 cmdline: rundll32.exe C:\Users\user\Desktop\4.dll,dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8144 cmdline: rundll32.exe "C:\Users\user\Desktop\4.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8152 cmdline: rundll32.exe "C:\Users\user\Desktop\4.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8160 cmdline: rundll32.exe "C:\Users\user\Desktop\4.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8176 cmdline: rundll32.exe "C:\Users\user\Desktop\4.dll",liydq47sc2u82rq6r MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 4.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 4.dllReversingLabs: Detection: 13%
Source: 4.dllVirustotal: Detection: 25%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: 4.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 4.dllString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: loaddll32.exe, 00000000.00000003.2709783602.0000000003B0A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2971766216.000000000643A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1895761263.00000000060FA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D5A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1785818097.000000000620A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2786190838.000000000693A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789474364.000000000680A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000003.2749699555.00000000069AA000.00000004.00001000.00020000.00000000.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2971613997.000000000605F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1883462367.0000000005D0F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1773611853.0000000005F0F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2785808534.000000000658F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789302369.000000000649F000.00000002.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://tempuri.org/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://tempuri.org/U
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmp, 4.dllString found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 00000004.00000002.2971766216.00000000063A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1895761263.0000000006067000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1785818097.0000000006177000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2786190838.00000000068A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2789474364.0000000006777000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPU
Source: loaddll32.exe, 00000000.00000003.2709783602.0000000003A77000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005CC7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2739707705.0000000006277000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.0000000006917000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPq
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: loaddll32.exe, 00000000.00000003.2709783602.0000000003AED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: loaddll32.exe, 00000000.00000003.2709783602.0000000003AED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.borland.com/rootpart.xml
Source: 4.dllString found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000000.00000003.2709783602.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2971766216.00000000063A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1895761263.0000000006060000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1785818097.0000000006170000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2786190838.00000000068A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2739707705.0000000006270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789474364.0000000006770000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.0000000006910000.00000004.00001000.00020000.00000000.sdmp, 4.dllString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS

System Summary

barindex
PE file contains section with special chars
Source: 4.dllStatic PE information: section name: WaAinCN[
Source: 4.dllStatic PE information: section name: ,GG>VJO]
Source: 4.dllStatic PE information: section name: m)r'k(V"
Source: 4.dllStatic PE information: section name: <gm_aJfm
Source: 4.dllStatic PE information: section name: nQ[c;RTn
Source: 4.dllStatic PE information: section name: <>bO3Al;
Source: 4.dllStatic PE information: section name: WrC1W4?i
Source: 4.dllStatic PE information: section name: 0fRV/G:a
Source: 4.dllStatic PE information: section name: "&1i">YD
Source: 4.dllStatic PE information: section name: s3;)JY&s
Source: 4.dllStatic PE information: section name: 7#F3%m3
Source: 4.dllStatic PE information: section name: M8.>cPX
Source: 4.dllStatic PE information: section name: "T [R\o?
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 708
Source: 4.dllStatic PE information: Number of sections : 13 > 10
Source: 4.dllBinary or memory string: OriginalFileName vs 4.dll
Source: 4.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal80.evad.winDLL@25/21@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6592
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8144
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\liydq47sc2u82rq6r
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8160
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6696
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d4dae6ec-9581-467e-b530-85cfe5bbf3d4Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,TMethodImplementationIntercept
Source: 4.dllReversingLabs: Detection: 13%
Source: 4.dllVirustotal: Detection: 25%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\4.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 708
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",liydq47sc2u82rq6r
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4.dll,dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",liydq47sc2u82rq6rJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 4.dllStatic file information: File size 25627136 > 1048576
Source: 4.dllStatic PE information: Raw size of WaAinCN[ is bigger than: 0x100000 < 0x510c00
Source: 4.dllStatic PE information: Raw size of "&1i">YD is bigger than: 0x100000 < 0x976a00
Source: 4.dllStatic PE information: Raw size of 7#F3%m3 is bigger than: 0x100000 < 0x921a00
Source: initial sampleStatic PE information: section where entry point is pointing to: 7#F3%m3
Source: 4.dllStatic PE information: section name: WaAinCN[
Source: 4.dllStatic PE information: section name: ,GG>VJO]
Source: 4.dllStatic PE information: section name: m)r'k(V"
Source: 4.dllStatic PE information: section name: <gm_aJfm
Source: 4.dllStatic PE information: section name: nQ[c;RTn
Source: 4.dllStatic PE information: section name: <>bO3Al;
Source: 4.dllStatic PE information: section name: WrC1W4?i
Source: 4.dllStatic PE information: section name: 0fRV/G:a
Source: 4.dllStatic PE information: section name: "&1i">YD
Source: 4.dllStatic PE information: section name: s3;)JY&s
Source: 4.dllStatic PE information: section name: 7#F3%m3
Source: 4.dllStatic PE information: section name: M8.>cPX
Source: 4.dllStatic PE information: section name: "T [R\o?

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6420 base: 430007 value: E9 EB DF 36 77 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6420 base: 7779DFF0 value: E9 1E 20 C9 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6696 base: C00007 value: E9 EB DF B9 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6696 base: 7779DFF0 value: E9 1E 20 46 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7012 base: AF0007 value: E9 EB DF CA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7012 base: 7779DFF0 value: E9 1E 20 35 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6068 base: 770007 value: E9 EB DF 02 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6068 base: 7779DFF0 value: E9 1E 20 FD 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6592 base: CF0007 value: E9 EB DF AA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6592 base: 7779DFF0 value: E9 1E 20 55 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8144 base: 34F0007 value: E9 EB DF 2A 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8144 base: 7779DFF0 value: E9 1E 20 D5 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8152 base: E00007 value: E9 EB DF 99 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8152 base: 7779DFF0 value: E9 1E 20 66 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8160 base: F50007 value: E9 EB DF 84 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8160 base: 7779DFF0 value: E9 1E 20 7B 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8176 base: 6690007 value: E9 EB DF 10 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8176 base: 7779DFF0 value: E9 1E 20 EF 8E Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 19F6879
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1A90015
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 20457D8
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1998A30
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 20A94AF
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2120055
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1AEC18E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 209FFB4
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 187EBB2
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 20C7CD0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 217F366
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 19E2BA5
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 19A1CB0 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4.dll",#1Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		1
Credential API Hooking		321
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524656 Sample: 4.dll Startdate: 03/10/2024 Architecture: WINDOWS Score: 80 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 PE file contains section with special chars 2->37 39 AI detected suspicious sample 2->39 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->45 47 Tries to evade analysis by execution special instruction (VM detection) 8->47 49 Hides threads from debuggers 8->49 51 Switches to a custom stack to bypass stack traces 8->51 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 rundll32.exe 8->16         started        18 6 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->53 55 Hides threads from debuggers 13->55 23 WerFault.exe 16 13->23         started        25 WerFault.exe 16 16->25         started        27 WerFault.exe 1 16 18->27         started        29 WerFault.exe 16 18->29         started        process7 signatures8 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->41 43 Hides threads from debuggers 20->43 31 WerFault.exe 22 16 20->31         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4.dll14%ReversingLabs
4.dll25%VirustotalBrowse
4.dll100%AviraHEUR/AGEN.1327619

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
http://www.indyproject.org/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
http://www.schneier.com/paper-blowfish-fse.htmlS0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IWSDLPublish0%VirustotalBrowse
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%VirustotalBrowse
http://tools.ietf.org/html/rfc4648S0%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAPq0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap12/SV0%VirustotalBrowse
http://www.borland.com/rootpart.xml0%VirustotalBrowse
http://www.itl.nist.gov/fipspubs/fip180-1.htm0%VirustotalBrowse
http://tools.ietf.org/html/rfc13210%VirustotalBrowse
http://tempuri.org/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.borland.com/namespaces/Types-IWSDLPublishrundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://schemas.xmlsoap.org/soap/encoding/loaddll32.exe, 00000000.00000003.2709783602.0000000003B0A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2971766216.000000000643A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1895761263.00000000060FA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D5A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1785818097.000000000620A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2786190838.000000000693A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789474364.000000000680A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000003.2749699555.00000000069AA000.00000004.00001000.00020000.00000000.sdmp, 4.dllfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf4.dllfalseunknown
http://tools.ietf.org/html/rfc1321rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://schemas.xmlsoap.org/soap/envelope/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
  • URL Reputation: safe
unknown
http://www.borland.com/rootpart.xmlrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://www.schneier.com/paper-blowfish-fse.htmlSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://tempuri.org/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2971613997.000000000605F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1883462367.0000000005D0F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1773611853.0000000005F0F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2785808534.000000000658F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789302369.000000000649F000.00000002.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://upx.sf.netAmcache.hve.8.drfalse
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://www.indyproject.org/loaddll32.exe, 00000000.00000003.2709783602.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2971766216.00000000063A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1895761263.0000000006060000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1785818097.0000000006170000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2786190838.00000000068A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2739707705.0000000006270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2789474364.0000000006770000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.0000000006910000.00000004.00001000.00020000.00000000.sdmp, 4.dllfalse
  • URL Reputation: safe
unknown
http://tools.ietf.org/html/rfc4648Srundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPqloaddll32.exe, 00000000.00000003.2709783602.0000000003A77000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005CC7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2739707705.0000000006277000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.0000000006917000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://schemas.xmlsoap.org/wsdl/soap12/SVrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://www.itl.nist.gov/fipspubs/fip180-1.htmrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalseunknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
    		unknown
    http://schemas.xmlsoap.org/wsdl/soap/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
      		unknown
      http://www.borland.com/namespaces/TypesAloaddll32.exe, 00000000.00000003.2709783602.0000000003AED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmpfalse
        		unknown
        http://www.borland.com/namespaces/Types-IAppServerSOAPrundll32.exe, 00000004.00000002.2971766216.00000000063A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1895761263.0000000006067000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1785818097.0000000006177000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2786190838.00000000068A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2789474364.0000000006777000.00000004.00001000.00020000.00000000.sdmpfalse
          		unknown
          http://www.movable-type.co.uk/scripts/xxtea.pdfSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
            		unknown
            http://www.borland.com/namespaces/Typesrundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmp, 4.dllfalse
              		unknown
              http://schemas.xmlsoap.org/soap/httprundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                		unknown
                http://schemas.xmlsoap.org/wsdl/soap/#rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                  		unknown
                  http://www.schneier.com/paper-twofish-paper.pdfSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/http/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                      		unknown
                      http://tempuri.org/Urundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                        • URL Reputation: safe
                        		unknown
                        http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfUrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                          		unknown
                          http://www.componentace.com4.dllfalse
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/mime/rundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                              		unknown
                              http://www.borland.com/namespaces/Types-IAppServerSOAPUrundll32.exe, 00000004.00000002.2969295953.0000000004D90000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004A40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004C40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.00000000052C0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.00000000051D0000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                                		unknown
                                http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                                  		unknown
                                  http://www.borland.com/namespaces/Typesaloaddll32.exe, 00000000.00000003.2709783602.0000000003AED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2648919158.0000000005D3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2749699555.000000000698D000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.ietf.org/rfc/rfc3447.txtSrundll32.exe, 00000004.00000002.2969295953.0000000004881000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1832967987.0000000004531000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1726241998.0000000004731000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2782196641.0000000004DB1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2784905046.0000000004CC1000.00000020.00000001.01000000.00000003.sdmp, 4.dllfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1524656
                                      Start date and time:2024-10-03 03:29:09 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 3s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:32
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:4.dll
                                      Detection:MAL
                                      Classification:mal80.evad.winDLL@25/21@0/0
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .dll
                                      • Override analysis time to 240s for rundll32

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 93.184.221.240, 13.89.179.12, 52.168.117.173, 104.208.16.94
                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      22:34:22API Interceptor5x Sleep call for process: WerFault.exe modified
                                      22:36:01API Interceptor1x Sleep call for process: loaddll32.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_853114de62a4e1cf17966ddd92c16b36bf0ef6e_7522e4b5_58497566-3882-4f42-9937-3f91c1b0d4d8\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9541442025050513
                                      Encrypted:false
                                      SSDEEP:192:yTtYigxOhOT0BU/wjeThuzzuiFKZ24IO84ci:GtYigIhOABU/wjeuzuiFKY4IO84ci
                                      MD5:D60776A1156348DF884297F09A6AC0D0
                                      SHA1:718ECC0DE52506F48DC971353C084E22CB59276A
                                      SHA-256:80BC094148BF5E9F297C2C9FF1188E17DFB2E2B3A838916A17193249231B893A
                                      SHA-512:AF2858AC78FD4E44036CE239BB651CBA2FE8B9796EF9AD00BD7331DC4688AC40FB531FF450E6A2FAF4DF7EE0F90F867DCE2C4C743B2E023A3AEF53AA3D1D862B
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.6.5.6.5.1.0.8.8.8.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.6.5.6.5.9.9.9.5.8.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.4.9.7.5.6.6.-.3.8.8.2.-.4.f.4.2.-.9.9.3.7.-.3.f.9.1.c.1.b.0.d.4.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.2.9.e.3.9.0.-.9.1.d.e.-.4.1.7.3.-.b.c.e.b.-.7.1.a.4.8.7.7.c.5.e.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.0.-.0.0.0.1.-.0.0.1.4.-.d.6.3.2.-.d.e.f.b.3.c.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_853114de62a4e1cf17966ddd92c16b36bf0ef6e_7522e4b5_6c860b4d-56f5-4c02-b8a3-6757c7408b82\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):65536
                                      Entropy (8bit):0.9544232363402136
                                      Encrypted:false
                                      SSDEEP:192:2NqiuOjOT0BU/wjeThuzzuiFOZ24IO84ci:gqivjOABU/wjeuzuiFOY4IO84ci
                                      MD5:A3CB4CC3351BC13D17788E9BA4A31BAB
                                      SHA1:831B404719F9FC780EE005279F33BCF66E5F5EE4
                                      SHA-256:327D8B5DFFD16C446605057BE0BEE67AD01BE72539B8FBFBF9102B4F81E8955D
                                      SHA-512:B88E18F99BB5E71824908684A5020D238CAAE83D835A117BFDE0A3F8E70C798F8A9E2336E06E6C3DF928B17D1D86712D8BEE820B22B00DFE60C138782C1E965E
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.0.9.0.0.3.9.3.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.0.9.5.5.0.7.7.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.8.6.0.b.4.d.-.5.6.f.5.-.4.c.0.2.-.b.8.a.3.-.6.7.5.7.c.7.4.0.8.b.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.e.6.3.0.7.e.-.8.7.4.7.-.4.9.3.b.-.b.4.5.7.-.7.6.1.e.1.5.6.9.8.b.5.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.4.-.0.0.0.1.-.0.0.1.4.-.5.d.9.f.-.3.f.c.7.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_853114de62a4e1cf17966ddd92c16b36bf0ef6e_7522e4b5_cba14e28-d20c-49f0-aa3f-bae0a9b81ffe\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):65536
                                      Entropy (8bit):0.953754104415554
                                      Encrypted:false
                                      SSDEEP:192:zliFOJOT0BU/wjeThuzzuiFOZ24IO84ci:xi8JOABU/wjeuzuiFOY4IO84ci
                                      MD5:B745EC7ECB0BB27247DF187E3E55F762
                                      SHA1:C9C76A5844DF4422B7C01BE14F0336EE3703ACB0
                                      SHA-256:93B119453139C8911380389D908C723950A29CD13187C75B8F8E6F02CD156AF3
                                      SHA-512:55FA22B6A1B7E6858C2131195C6129B77F39801AF7865CBEC225BA01C4B1A05F819A11E6132F6D1FB650E16278FAD8B75D2FC634949AA11693C368F739D8E6B9
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.1.8.6.3.7.2.9.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.2.2.1.8.4.1.5.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.a.1.4.e.2.8.-.d.2.0.c.-.4.9.f.0.-.a.a.3.f.-.b.a.e.0.a.9.b.8.1.f.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.2.8.a.b.a.e.-.a.6.a.0.-.4.7.b.2.-.8.2.6.b.-.a.3.3.2.5.1.1.f.d.6.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.c.0.-.0.0.0.1.-.0.0.1.4.-.b.5.1.5.-.e.2.c.a.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a2b09c2763cd7fb1312522d0a7907333f2baa9c_7522e4b5_2cbd404b-e504-4568-ba5d-530059af66f9\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9486035924203429
                                      Encrypted:false
                                      SSDEEP:192:smi7OUOJ0BU/wjeThuzzuiFlZ24IO8dci:RiCUOqBU/wjeuzuiFlY4IO8dci
                                      MD5:B01B3D06CE49D34507C6927A42331DD1
                                      SHA1:BEF4393BC2CD6038A004A28A220BA8C0B8A56A02
                                      SHA-256:83E0DBB48A86F30E019EDB4FDAA437AAB148591D5F9754B7546C024749F6F808
                                      SHA-512:068F69F81DED6D037F9F3FC2D0BC468F22AB9386A04EAEB1AF6ABF39EFFF569A7C05F921EDEB61AAF294CB3BE46AB4396C4B1BB8FB364D4DC0DF2C88A84CC913
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.6.5.8.4.3.4.7.7.8.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.6.5.8.4.7.8.5.2.7.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.b.d.4.0.4.b.-.e.5.0.4.-.4.5.6.8.-.b.a.5.d.-.5.3.0.0.5.9.a.f.6.6.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.a.9.f.1.3.c.-.d.0.7.9.-.4.6.8.f.-.b.1.4.e.-.9.7.d.9.7.0.e.1.f.1.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.8.-.0.0.0.1.-.0.0.1.4.-.2.b.6.8.-.3.8.c.7.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a2b09c2763cd7fb1312522d0a7907333f2baa9c_7522e4b5_ed752832-c477-448c-84cf-abb2231ffdcb\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.9485957497148284
                                      Encrypted:false
                                      SSDEEP:192:hgiXOxOJ0BU/wjeThuzzuiFKZ24IO8dcij:yi+xOqBU/wjeuzuiFKY4IO8dcij
                                      MD5:00BA0B65EE99053AFFFA628F6004627A
                                      SHA1:56A4A95DE3FE3AB52B7233513BA01CABED3A5E50
                                      SHA-256:03B4518CC0BE392CE53F372C2F21B6E53996F58CFCCD16A6E9F6BFD5FECE7AA9
                                      SHA-512:BE5ECCD569A32E5AD9D9774017C028DBB4845C0C731C380205FFE69BE7921DB0F3D7A4F11A2DB314D32A590D7D83F466F9D585640C615107EA2390D139A4F409
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.6.5.6.5.3.2.0.0.8.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.6.5.6.5.9.7.6.2.7.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.7.5.2.8.3.2.-.c.4.7.7.-.4.4.8.c.-.8.4.c.f.-.a.b.b.2.2.3.1.f.f.d.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.b.b.0.1.c.a.-.1.d.1.a.-.4.6.5.7.-.9.7.7.2.-.4.1.0.4.f.1.6.f.4.6.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.d.0.-.0.0.0.1.-.0.0.1.4.-.1.b.2.b.-.d.7.f.b.3.c.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3C.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:30:09 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):45048
                                      Entropy (8bit):1.977694338680997
                                      Encrypted:false
                                      SSDEEP:192:Nai+dC/Xo4/NO5H4Y15LD3jmpMMmBHnaXtik5l:edClI5HP1yOM0H+ik
                                      MD5:B12F0F5D83462F0B73264309C58D4E28
                                      SHA1:0D85722237A1D648FE93767994AE1FED441CECB7
                                      SHA-256:FBF98BE7FDB3F534ED7C4A625A58B68532BD636ACFF66939032AF548D467850A
                                      SHA-512:B0D8D64331EE56F6F8512DBF14596AF0D9B383CAAD003CC6CBF2C0208BB2FCE985E0285D3986EEE4141BF2102F2EDA1BC75844DC12A5B49A4C7D682E30D7DD29
                                      Malicious:false
                                      Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T.......d......f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D08.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8324
                                      Entropy (8bit):3.68821996894672
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJZO686Y7J6Cgmf8JTprB89bXUsfq9m:R6lXJA686YF6Cgmf8JQXHf5
                                      MD5:C5D5FF1A9856EE32980DD1900249EE32
                                      SHA1:D11CABDD0B137350C310E26E520B1EB57F79A7FA
                                      SHA-256:476F668D9906630957AB2C8759094495EAAED25E803EBA719AEA07D251A4FE42
                                      SHA-512:494C90E5823B807F3F2DDAB4679984287C3581C35364383B64984777135C40196211B3167BCCB6677F9949D0CF537EF21324D54D2303ED660D0BA17C3BF6C338
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.1.2.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D86.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4733
                                      Entropy (8bit):4.4401873756958645
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsfJg77aI95GWpW8VYRYm8M4JCdPJFVF++q8vjPJF1LqzGScSRd:uIjfBI7jH7VpJoAK9HWzJ3Rd
                                      MD5:E170EEEF4BC109F9CB24A4B5719920B2
                                      SHA1:19170FD2C2F0A485268DEF82BE0E9D79167AFFCD
                                      SHA-256:1B64447F61CF95AA976C11041A44FA2031DAD3EE182119A6B42F0DD444E9CDDB
                                      SHA-512:D00A8FD5916E8ECCBA9877B7AAED116F763E1390ED6F45F78E2F1AE4D1A95447AE8F7A661B8D4971D0F47B49949A6EF2897214683A4C31D9F6960128A7E5CDF3
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526592" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5213.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:30:19 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):43180
                                      Entropy (8bit):2.0326037588084214
                                      Encrypted:false
                                      SSDEEP:192:vd6edC/X04JAO5H43tvNhpi5RUABxPE+NeHOnRPT:jdCxB5HAvNhO2ABxNeyJ
                                      MD5:7EB9C0EAA0C52CAEC80C1C7F63C8B485
                                      SHA1:0A6EED27F820E568F111783FD5CAA13BDD8F94C3
                                      SHA-256:328BCFB5B58FE4E91C2FF7A5F9CBA91EA9AB4346433850538F3BC893E356548A
                                      SHA-512:F3F7DE9DB23F104CA3641912C7D2DFF9E184AE02270C52079AD8E9B288335D4AC3C056D87F43CA76FBD2FC72A8624D2D6AFAF26C9E5E2AFA6D4C7254FF11D09B
                                      Malicious:false
                                      Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5437.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8352
                                      Entropy (8bit):3.687569417069597
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJd76us9/U6Yavp6ygmf8JTprF89bGXsfwim:R6lXJR6usG6Yk6ygmf8J8Gcfk
                                      MD5:F944C843705E654343E7B2C19395791E
                                      SHA1:96E0F7EB3901448FEFB5778F6667D82199E54A51
                                      SHA-256:2540E4C6EB6A5F7DF5E7FD02B574E4B957A1B62DA4DDD376EE46C30B2F9BBCCF
                                      SHA-512:E6712378F1D637B4D45ADEB4F53863742140D9082A28EC9B4A655D216784069B5209B07B594A4977B4978E38F15D325018AA33EA23CCB7796E4FA1726597BAFF
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.9.2.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5486.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4733
                                      Entropy (8bit):4.435842986686717
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zswJg77aI95GWpW8VY8Ym8M4JCdPJFVFfJOC+q8vjPJFFGScSmd:uIjf2I7jH7V0Jo3LK9fJ3md
                                      MD5:9A4F9476F3481CD7686750713D7242DA
                                      SHA1:3008A199CC9917F67A888C89A3738FC1FE683F46
                                      SHA-256:4F2B10F60D1DDCC24C11A86E1862120B9558DAD64D9283CA3A5293CF27C4CFB1
                                      SHA-512:2AAF063630236E61C9E59ED0B86EABB8D8E64BA249F102EAA53EFEC571BF8F4C5A724873EE00D02D35C6EC983ECBD5DBE7B505F3F0FE8BD2EB2899D342D2E341
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526593" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C4B.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 02:36:05 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):43872
                                      Entropy (8bit):2.034652956966329
                                      Encrypted:false
                                      SSDEEP:192:udLrdC/X94ptoO5H4rkoAJ07PZRjpiVr/v49tveAfOER5:adCept5HkAWPZc349B7
                                      MD5:BAA110EE20FBBE5B5620C26B92C7B592
                                      SHA1:4B3E913FE5B1365AB50258D4E2D6FD36439F6874
                                      SHA-256:C2132FF3656E263249C1BE6B1EA4DC2C96015F71C0DE606B725CE516CF9F2F19
                                      SHA-512:F1F19362641CD98EBB05595D01368AC33143C119EE04F92519C8B9DF4DB0263D74AEE5D0A1D0943AE3805BEFA028AFDD00BE055C62AE9992B41B6A30048AADCE
                                      Malicious:false
                                      Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D26.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 02:36:05 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):45424
                                      Entropy (8bit):2.047104629142782
                                      Encrypted:false
                                      SSDEEP:192:uUoLGdC/X24LO5H4vWuFL+T+fFwgl5Zg6+9hhXO:PdCLS5H9uoTtc5qR
                                      MD5:2FAE3B5F9F390869E943C5B09B4573FD
                                      SHA1:B09BC87E2116E58E1080313430906B9E7BF5CA64
                                      SHA-256:929F4E33211A3209E2A23B388F3062F23CB601D0B96B2F2EA5741FCF36CE8594
                                      SHA-512:CEF37B9CA38B252AE9F59D01974FB48CE5DD082CEF16CAF80063536D2FF50D6CF128AB0B0FADB44D611FA318320F7D5B8A58090F3C037D9527DD5CC9E0ABC733
                                      Malicious:false
                                      Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D75.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8336
                                      Entropy (8bit):3.6900076440024323
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJKP6Vz6Yql6AOgmf8JTprR889bmKsfhim:R6lXJS6B6Yg6AOgmf8Jvpmpfl
                                      MD5:B444215DE219A0462B02C7F6D04B6913
                                      SHA1:CC4D9C9DF828B2F765374130D6118329EE7FE597
                                      SHA-256:01F6A22CB09ACBF6581A5DAED832C0FCA75662A428488877B502FC770F4E590C
                                      SHA-512:21E0021502A03342F3D5DCCEF4C782FAAC9C7B5CE4D222A3AE7BA80EFDCE08566396C922C8045028AF78E987F46BF9E5E47A38ACB2DA154061C3887380B66310
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.0.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DB4.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4733
                                      Entropy (8bit):4.437568457305998
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zscJg77aI95GWpW8VYPYm8M4JCdPJFVFN+q8vjPJFCGScSud:uIjfaI7jH7VPJojK9UJ3ud
                                      MD5:8ADF71989C89CFB24B978EDDDA960FBE
                                      SHA1:1662E6CBD655AE661DFC6E33083C3E24451DEFF4
                                      SHA-256:698FF9F0ABAF67FA94A50AF4EDABD5D160CED464EBDD0580F94598AD95998A12
                                      SHA-512:A6100FD2F6B61F577BB8D616664D5341EAA9C0247C7558DC0732D25C6F5AA22C04B8D883EDAB137EB7C97DCBE2C17DB5CBB9106C25388368D342F5883549E468
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526658" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E5F.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8270
                                      Entropy (8bit):3.692511363901867
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJs+65dU6YqV6AOgmfTOTprG89bmOsf+im:R6lXJF6w6YA6AOgmfTOBmNfS
                                      MD5:1ED5E82123E84A3B351A709CB4799102
                                      SHA1:82B7ACFE84448D0196040DDA2E95A2362F29FADF
                                      SHA-256:A24656E718303349ABFB1CE9A911A0BBDBC40BB46120CF0FF8A968EE7371FF1F
                                      SHA-512:E143946EB9C0640CA19EF199A766D0A0D0A2FF6993E66ED72081630DC42F170FF3FE3B8B0E6D4B8F7B7387475CF65BD9C4F0F711B36B98B85DCBBF481E4CA3A0
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.4.4.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EED.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4632
                                      Entropy (8bit):4.448569960970608
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zscJg77aI95GWpW8VY/Ym8M4JCdPdvFSP+q8/oICWGScSgd:uIjfaI7jH7VrJuECnJ3gd
                                      MD5:BFB59D2D31A26527D9CB141EEBCFF9F0
                                      SHA1:FC8F3E31EAC37C46506C14DC73654266E889B440
                                      SHA-256:2702487AE8481AA621C12885AA6AB45D3E896FD47761C87F41DDD4D0F2D1EA33
                                      SHA-512:19D60AFF1E1422B1AAE50157DA4B4A6A1F833F04893F7C0A49E107B34D6C5D2D37CB07A3830A9E9F023E62267DC9DD8CB6560E12E2099C957119B1C098FE10CC
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526658" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA76D.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 02:36:24 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):37640
                                      Entropy (8bit):2.240432967118597
                                      Encrypted:false
                                      SSDEEP:192:7KBsc1mhJXrdohqnWO5H4+fQAr2L52H81IYHDWC:WbmhdWhqnh5HvfQA252H8a
                                      MD5:F00553E97F274D5CD09ABBADD7AF0741
                                      SHA1:BE0FEC7B7F44F7EB851BDE777DF23CAE9A1FA5F2
                                      SHA-256:6058FD335997DF73C8C9B9E8D266D6BC4F520600BFD41A1FF0F04DF92817429C
                                      SHA-512:11515EA352D97B431CB59CB20CC2142553DEAB26FB4B2C077A62B912771CCF1B4351966799D4AF94F3BE0F9862D4A6A307001861C05848EC453895750943C60D
                                      Malicious:false
                                      Preview:MDMP..a..... .......(..f............d...............l...........R,..........T.......8...........T...............Pw......................................................................................................eJ..............GenuineIntel............T.......(......ff............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7FB.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8284
                                      Entropy (8bit):3.692084887043067
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJiT6mV6Yqd6AOgmfTOTpr089bNAsfoAPm:R6lXJ+6E6YI6AOgmfTOvNTfw
                                      MD5:8E2DF4768507047CFCC65B731B9655AF
                                      SHA1:CD9792F7C25C642BB3E4900EE50B20059B036C24
                                      SHA-256:0B53D60805F08739E9925F0880C14254763C0B7404B5A0048128B3DD8195974E
                                      SHA-512:9C64CAE0F8C590BF30AB9C0AED96D265139E30148E72F745F4443A7EFB12674AC307401DCE9474E4C9F98A0A71074D54D4B788D2C9090D5BDD5A0F87F3F8498F
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.9.6.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA82B.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4632
                                      Entropy (8bit):4.448240287767642
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsrJg77aI95GWpW8VYQYm8M4JCdPdvFJDj+q8/oIPGScS0d:uIjfFI7jH7VgJu3DjCPJ30d
                                      MD5:349997B40CAE326241E546A9FE1CDA0A
                                      SHA1:BE2767E43014C7A574AEE4D30B1A20C759C6B4F0
                                      SHA-256:F3F3E558791A9A47798EFF02FEF06B39A5F73ED8A349F1CE0FCE00A389BA187F
                                      SHA-512:EB3FEF63361F0F1E4559C36377077F4372ABF4311C287619013E3E99E4EF17B3C54FF232E7B46E1944EA90233C3356962ACC2AF41C1B354ABD4EA20D88D9B118
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526659" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.41743980534248
                                      Encrypted:false
                                      SSDEEP:6144:Fcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:ii58oSWIZBk2MM6AFBWo
                                      MD5:9644F9D6BF2A72D3123E04217CD5DFB6
                                      SHA1:B9A4FFA0DCDF23059C7AD7E59D7565920E3E52BF
                                      SHA-256:9D905A0E6F02A8E6AE3EFC7F40E6C140E4BE087BBD29205B1C652B621FC860D8
                                      SHA-512:F978247EF714530DD2BAB461D9DC82587FE0692242A7EC4D9E3AB8FC86222B127A9BC8DAF2F111A3A7599EDEC13CA461E35038998D04D3DF1D4302EC439FB5F9
                                      Malicious:false
                                      Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf.p.3................................................................................................................................................................................................................................................................................................................................................`g.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.393138565207726
                                      TrID:
                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.21%
                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                      • DOS Executable Generic (2002/1) 0.20%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:4.dll
                                      File size:25'627'136 bytes
                                      MD5:7c8aa0252ec1f69683f1913ddb959cc8
                                      SHA1:10a96703723cb4004f5100c2ae2b6473d3148a41
                                      SHA256:357a4d81993b49f5e3dd31338423e5272deca88a44b5fbd9d630d1d7d1a712b1
                                      SHA512:10c4c23ea6c0017c5e7c2ef4480c308dc4111a5546a789ec5b2e21d77f3d20050f24b07293bb3a41347cc7150f6014bb3daf773cef1ef27f1041b775667f1efe
                                      SSDEEP:393216:q4DsXRxWJNFIZOPYDvdHdWMIgKlEHX7CdqJYRxYdy:BJ0OYDvUvlEHLCwWvYI
                                      TLSH:D4470257768A80FEC0861975863BE7D6123BF6311A0A8C773BC4290C5F31EB1663E997
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                      File Icon

                                      Icon Hash:7ae282899bbab082

                                      Static PE Info

                                      General

                                      Entrypoint:0x1553a72
                                      Entrypoint Section:7#F3%m3
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
                                      DLL Characteristics:
                                      Time Stamp:0x66FDCAA7 [Wed Oct 2 22:35:19 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:0
                                      File Version Major:5
                                      File Version Minor:0
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:0
                                      Import Hash:9a6d12fce3bb7f25c3b57d1fb6ad19d7

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F02A8B296A7h
                                      jne 00007F02A8B37C15h
                                      mov eax, dword ptr [ebp+08h]
                                      test edx, esp
                                      sar eax, 10h
                                      add word ptr [ecx], ax
                                      jmp 00007F02A8923F2Dh
                                      xor ecx, ebx
                                      pop eax
                                      shl dl, 00000067h
                                      neg ecx
                                      dec eax
                                      bswap ecx
                                      pop edx
                                      dec eax
                                      and eax, 8C1A81AAh
                                      not ecx
                                      inc ecx
                                      xor ebx, ecx
                                      rol dx, FF86h
                                      adc ebp, ecx
                                      lea edx, dword ptr [esp+edx-01FC7B64h]
                                      lea ecx, dword ptr [6193FAB7h+eax*8]
                                      bts ax, cx
                                      push ecx
                                      movzx cx, byte ptr [edx+eax-000001AAh]
                                      rol eax, 29h
                                      mov word ptr [eax+esi-00035408h], cx
                                      movsx ecx, ax
                                      lea esi, dword ptr [esi+eax-00035408h]
                                      adc dword ptr [esp+ecx*2-0000A800h], 009FA934h
                                      pop edx
                                      jne 00007F02A8D5B885h
                                      call 00007F02A905CB02h
                                      inc ecx
                                      mov edx, 15328604h
                                      inc ecx
                                      push edx
                                      dec edx
                                      inc dword ptr [esp+edx*4-54CA1810h]
                                      dec edi
                                      lea esp, dword ptr [esp+edx*2-2A650C0Ch]
                                      inc ecx
                                      mov esi, D48FE298h
                                      inc edi
                                      mov ecx, dword ptr [esp+edx-15328604h]
                                      inc ebp
                                      xor ecx, eax
                                      inc dx
                                      ror dword ptr [esp+edx*4-54CA180Bh], FFFFFFC2h
                                      inc ecx
                                      ror ecx, 1
                                      inc edi
                                      lea ecx, dword ptr [ecx+edx*4-56512B9Fh]
                                      inc ecx
                                      xor ecx, BF8CE993h
                                      inc ecx
                                      ror ecx, 00000000h

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x5430000xbbWrC1W4?i
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xebe9440x1687#F3%m3
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x17df0000x2ed5cM8.>cPX
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x180e0000x746fc"T [R\o?
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xebc0000x8cs3;)JY&s
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xfc60d00x1e07#F3%m3
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      WaAinCN[0x10000x510b2c0x510c00606fe70b36b13e49f995e5a197f8d9b9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      ,GG>VJO]0x5120000x40a40x420006b04457ae981fa861db9f2ac581ce65False0.49461410984848486data6.068899494366079IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      m)r'k(V"0x5170000x1a59c0x1a600a2a515132ae33e10d1c3b27e8b56b294False0.4633812203791469data6.749608585313089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      <gm_aJfm0x5320000xa0800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      nQ[c;RTn0x53d0000x42400x440077d74617b539748d7105767d28d41820False0.9445082720588235data7.81539052349376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      <>bO3Al;0x5420000xd7c0xe008f87020b5ced9cb018223c805569fceeFalse0.34402901785714285data4.285879617951253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      WrC1W4?i0x5430000xbb0x200f53a8daff93873baad621fa08ed02686False0.3203125data2.3589734725634326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      0fRV/G:a0x5440000x450x2004ae75964954652113b5bc6e6bf8e2eecFalse0.158203125ASCII text, with no line terminators1.1775367479159162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      "&1i">YD0x5450000x9769310x976a0027fe489d0a91f3849e6421ed4b1778ebunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      s3;)JY&s0xebc0000xa40x2009908d4960331d9239c2ea06f3a713867False0.189453125data1.179293874906901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      7#F3%m3 0xebd0000x9218500x921a00338e997c0c8a37ba054195eaad5f210funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      M8.>cPX0x17df0000x2ed5c0x2ee0017b75c5a8f3fa0362191f61c45113af7False0.22142708333333333data5.251963823535371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      "T [R\o?0x180e0000x746fc0x74800dc1a3fd8b932d257b3afa6bed9dbe0cfFalse0.5585979412553648data6.72055392323479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_CURSOR0x17e15c80x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e16fc0x134dataEnglishUnited States0.4642857142857143
                                      RT_CURSOR0x17e18300x134dataEnglishUnited States0.4805194805194805
                                      RT_CURSOR0x17e19640x134dataEnglishUnited States0.38311688311688313
                                      RT_CURSOR0x17e1a980x134dataEnglishUnited States0.36038961038961037
                                      RT_CURSOR0x17e1bcc0x134dataEnglishUnited States0.4090909090909091
                                      RT_CURSOR0x17e1d000x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                      RT_CURSOR0x17e1e340x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e1f680x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e209c0x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e21d00x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e23040x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e24380x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e256c0x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e26a00x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e27d40x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e29080x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e2a3c0x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e2b700x134dataPortugueseBrazil0.12012987012987013
                                      RT_CURSOR0x17e2ca40x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                      RT_BITMAP0x17e2dd80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                      RT_BITMAP0x17e2fa80x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                      RT_BITMAP0x17e318c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                      RT_BITMAP0x17e335c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                      RT_BITMAP0x17e352c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                      RT_BITMAP0x17e36fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                      RT_BITMAP0x17e38cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                      RT_BITMAP0x17e3a9c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                      RT_BITMAP0x17e3c6c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                      RT_BITMAP0x17e3e3c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                      RT_BITMAP0x17e400c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                      RT_BITMAP0x17e40cc0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                      RT_BITMAP0x17e41ac0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                      RT_BITMAP0x17e428c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                      RT_BITMAP0x17e436c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                      RT_BITMAP0x17e442c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                      RT_BITMAP0x17e44ec0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                      RT_BITMAP0x17e45cc0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                      RT_BITMAP0x17e468c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                      RT_BITMAP0x17e476c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                      RT_BITMAP0x17e482c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                      RT_STRING0x17e490c0x3e8data0.4
                                      RT_STRING0x17e4cf40x538data0.34505988023952094
                                      RT_STRING0x17e522c0x654data0.2580246913580247
                                      RT_STRING0x17e58800xa38data0.27446483180428133
                                      RT_STRING0x17e62b80x974data0.2756198347107438
                                      RT_STRING0x17e6c2c0x50cdata0.34365325077399383
                                      RT_STRING0x17e71380x440data0.4108455882352941
                                      RT_STRING0x17e75780x46cdata0.39399293286219084
                                      RT_STRING0x17e79e40x3f0data0.38591269841269843
                                      RT_STRING0x17e7dd40x488data0.30689655172413793
                                      RT_STRING0x17e825c0x494data0.32849829351535836
                                      RT_STRING0x17e86f00x604data0.30324675324675326
                                      RT_STRING0x17e8cf40x414data0.407088122605364
                                      RT_STRING0x17e91080x31cdata0.46608040201005024
                                      RT_STRING0x17e94240x43cdata0.34870848708487084
                                      RT_STRING0x17e98600x768data0.36550632911392406
                                      RT_STRING0x17e9fc80x438data0.39814814814814814
                                      RT_STRING0x17ea4000x4c4data0.37540983606557377
                                      RT_STRING0x17ea8c40x44cdata0.3927272727272727
                                      RT_STRING0x17ead100x574data0.37822349570200575
                                      RT_STRING0x17eb2840x3f4data0.4150197628458498
                                      RT_STRING0x17eb6780xe04data0.24442586399108138
                                      RT_STRING0x17ec47c0xb40data0.2635416666666667
                                      RT_STRING0x17ecfbc0xae4data0.3134863701578192
                                      RT_STRING0x17edaa00x8acdata0.3063063063063063
                                      RT_STRING0x17ee34c0x798data0.2890946502057613
                                      RT_STRING0x17eeae40x4d0data0.4082792207792208
                                      RT_STRING0x17eefb40x44cdata0.3836363636363636
                                      RT_STRING0x17ef4000x4b0data0.365
                                      RT_STRING0x17ef8b00x43cdata0.39206642066420666
                                      RT_STRING0x17efcec0x3a8data0.4230769230769231
                                      RT_STRING0x17f00940x3a0data0.4040948275862069
                                      RT_STRING0x17f04340x40cdata0.4015444015444015
                                      RT_STRING0x17f08400x3f8data0.42322834645669294
                                      RT_STRING0x17f0c380x374data0.39819004524886875
                                      RT_STRING0x17f0fac0x378data0.33783783783783783
                                      RT_STRING0x17f13240x2e0data0.4470108695652174
                                      RT_STRING0x17f16040x3ecdata0.3396414342629482
                                      RT_STRING0x17f19f00x3f4data0.3824110671936759
                                      RT_STRING0x17f1de40x448data0.38321167883211676
                                      RT_STRING0x17f222c0x3e8data0.427
                                      RT_STRING0x17f26140x134data0.6006493506493507
                                      RT_STRING0x17f27480xccdata0.6764705882352942
                                      RT_STRING0x17f28140x23cdata0.486013986013986
                                      RT_STRING0x17f2a500x2a0data0.48214285714285715
                                      RT_STRING0x17f2cf00x3f4data0.3705533596837945
                                      RT_STRING0x17f30e40x3b8data0.38130252100840334
                                      RT_STRING0x17f349c0x560data0.32848837209302323
                                      RT_STRING0x17f39fc0x2b4data0.30057803468208094
                                      RT_STRING0x17f3cb00x37cdata0.4327354260089686
                                      RT_STRING0x17f402c0x49cdata0.39152542372881355
                                      RT_STRING0x17f44c80x4f8data0.39544025157232704
                                      RT_STRING0x17f49c00x404data0.3667315175097276
                                      RT_STRING0x17f4dc40x384data0.33666666666666667
                                      RT_STRING0x17f51480x410data0.3836538461538462
                                      RT_STRING0x17f55580x2f0data0.3896276595744681
                                      RT_STRING0x17f58480xc0data0.625
                                      RT_STRING0x17f59080x9cdata0.6282051282051282
                                      RT_STRING0x17f59a40x380data0.4341517857142857
                                      RT_STRING0x17f5d240x498data0.29336734693877553
                                      RT_STRING0x17f61bc0x2f8data0.45263157894736844
                                      RT_STRING0x17f64b40x2f0data0.3776595744680851
                                      RT_STRING0x17f67a40x3c0data0.259375
                                      RT_RCDATA0x17f6b640x10data1.5
                                      RT_RCDATA0x17f6b740x1c28data0.5441176470588235
                                      RT_RCDATA0x17f879c0x2dataEnglishUnited States5.0
                                      RT_RCDATA0x17f87a00x143Delphi compiled form 'Taeh0bt63au93xj701j963100izc'0.7739938080495357
                                      RT_RCDATA0x17f88e40xab5Delphi compiled form 'Taqm0t0o3c6hpjozn8tilgeaz67006'0.4137176213060927
                                      RT_RCDATA0x17f939c0x122Delphi compiled form 'Tcsa5mf03rl00db3gm80ri80o910'0.7620689655172413
                                      RT_RCDATA0x17f94c00x1466Delphi compiled form 'Tef1eogyu1o7b085809f04wey6rz02'0.2686710072769054
                                      RT_RCDATA0x17fa9280x1674Delphi compiled form 'Tez53r2old2339y8hilrz7ym19znlc20'0.29331941544885176
                                      RT_RCDATA0x17fbf9c0x53dDelphi compiled form 'Tfzg2u25oh4khd2b35c22t6d74lwlmg5xo5r'0.5607755406413124
                                      RT_RCDATA0x17fc4dc0xf89Delphi compiled form 'Tglhc086f7x39ddrbic0d3y273f9nl4kep7z839d'0.35353281367865225
                                      RT_RCDATA0x17fd4680x2fbDelphi compiled form 'Tjm1sz7g41uae7a04ih1dq8wnn9ais11i7nga0fr3h'0.6133682830930537
                                      RT_RCDATA0x17fd7640x10aaDelphi compiled form 'Tkls01drur199l902njn01065075tlpyt70'0.31598687294889827
                                      RT_RCDATA0x17fe8100x1182Delphi compiled form 'Tlk2856iy67rup4ec5w3w2j0639935165ob'0.31570727353859884
                                      RT_RCDATA0x17ff9940x823Delphi compiled form 'Tmst376426ua7id5sagbk66wzc07090g8p4t7007tg'0.49639942390782527
                                      RT_RCDATA0x18001b80x4385Delphi compiled form 'Tmtn5un47b13281i02qt7jcxy2d62500m886het7j'0.2079838009835117
                                      RT_RCDATA0x18045400x100bDelphi compiled form 'Tpj09znhfpgsqd94q20kwkh2sn87r342oxjb4'0.2897492086681276
                                      RT_RCDATA0x180554c0x1e11Delphi compiled form 'Tra8t76a2e0703f5e5iw1la654j2t'0.4682343770300117
                                      RT_RCDATA0x18073600x126eDelphi compiled form 'Tudkl4uqme7ni910ru233iytd162dd3115tj1'0.3151759220008478
                                      RT_RCDATA0x18085d00xbb2Delphi compiled form 'Tufdg29q70efkf99r2hmn3z723w2p262zb86b310o'0.38744154976619904
                                      RT_RCDATA0x18091840x1590Delphi compiled form 'Tuia4e00083ej8fkb5x3a00tn0pk526ei3'0.29329710144927534
                                      RT_RCDATA0x180a7140x458Delphi compiled form 'Tuqhny0y5e9g378w6212q6ruydqtq087075zsl24'0.5566546762589928
                                      RT_RCDATA0x180ab6c0x39aDelphi compiled form 'Twfa4x1q40wo22x2oudh3l37mb0bm3qz40cw6fo'0.5900216919739696
                                      RT_RCDATA0x180af080xcf5Delphi compiled form 'Txfnwac87z4x4gqwrmgay0n0cuzc9'0.3524268917696714
                                      RT_RCDATA0x180bc000x1db1Delphi compiled form 'Tzlqn102py534xz78jw2cwxse3f5pk99lezn'0.2657545059860545
                                      RT_GROUP_CURSOR0x180d9b40x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.25
                                      RT_GROUP_CURSOR0x180d9c80x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180d9dc0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180d9f00x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da040x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da180x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da2c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da400x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da540x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da680x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da7c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180da900x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180daa40x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
                                      RT_GROUP_CURSOR0x180dab80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0x180dacc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                      RT_GROUP_CURSOR0x180dae00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0x180daf40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0x180db080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0x180db1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0x180db300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_VERSION0x180db440x218dataEnglishUnited States0.47388059701492535

                                      Imports

                                      DLLImport
                                      winmm.dllPlaySoundW
                                      wininet.dllInternetCloseHandle
                                      comctl32.dllFlatSB_SetScrollInfo
                                      shell32.dllShell_NotifyIconW
                                      user32.dllDdeSetUserHandle
                                      version.dllGetFileVersionInfoSizeW
                                      oleaut32.dllSafeArrayPutElement
                                      advapi32.dllRegSetValueExW
                                      netapi32.dllNetWkstaGetInfo
                                      msvcrt.dllmemcpy
                                      winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
                                      kernel32.dllGetVersion, GetVersionExW
                                      SHFolder.dllSHGetFolderPathW
                                      wsock32.dllgethostbyaddr
                                      ole32.dllIsAccelerator
                                      gdi32.dllPie
                                      ntdll.dllRtlCompressBuffer

                                      Exports

                                      NameOrdinalAddress
                                      TMethodImplementationIntercept30x46a0b4
                                      __dbk_fcall_wrapper20x412460
                                      dbkFCallWrapperAddr10x935640
                                      liydq47sc2u82rq6r40x9025d0

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      PortugueseBrazil
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:21:30:06
                                      Start date:02/10/2024
                                      Path:C:\Windows\System32\loaddll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\4.dll"
                                      Imagebase:0x490000
                                      File size:126'464 bytes
                                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:21:30:06
                                      Start date:02/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:21:30:06
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4.dll",#1
                                      Imagebase:0x410000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:21:30:06
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe C:\Users\user\Desktop\4.dll,TMethodImplementationIntercept
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:21:30:06
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe "C:\Users\user\Desktop\4.dll",#1
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:21:30:08
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 708
                                      Imagebase:0xcb0000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:21:30:09
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe C:\Users\user\Desktop\4.dll,__dbk_fcall_wrapper
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:21:30:13
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe C:\Users\user\Desktop\4.dll,dbkFCallWrapperAddr
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:21:30:18
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 696
                                      Imagebase:0xcb0000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:22:36:00
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe "C:\Users\user\Desktop\4.dll",TMethodImplementationIntercept
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:22:36:00
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe "C:\Users\user\Desktop\4.dll",__dbk_fcall_wrapper
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:22:36:00
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe "C:\Users\user\Desktop\4.dll",dbkFCallWrapperAddr
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:22:36:00
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                      Wow64 process (32bit):true
                                      Commandline:rundll32.exe "C:\Users\user\Desktop\4.dll",liydq47sc2u82rq6r
                                      Imagebase:0xf70000
                                      File size:61'440 bytes
                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:22:36:04
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 696
                                      Imagebase:0xcb0000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:22:36:04
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 696
                                      Imagebase:0xcb0000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:22:36:24
                                      Start date:02/10/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 696
                                      Imagebase:0xcb0000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      No disassembly