Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2.dll

Overview

General Information

Sample name:2.dll
Analysis ID:1524658
MD5:dfce8512ab710f06ced8b1d279d487bb
SHA1:7abd0e2a549764d36de102a657c02aa43dbc30d7
SHA256:9973dbdd3136f591baa4cb189398baca56da52267f5b7d31678cf412c2781edd
Tags:dllMekotiouser-Merlax_
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7668 cmdline: loaddll32.exe "C:\Users\user\Desktop\2.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7720 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7736 cmdline: rundll32.exe "C:\Users\user\Desktop\2.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7744 cmdline: rundll32.exe C:\Users\user\Desktop\2.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 700 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7920 cmdline: rundll32.exe C:\Users\user\Desktop\2.dll,__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8020 cmdline: rundll32.exe C:\Users\user\Desktop\2.dll,dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8076 cmdline: rundll32.exe "C:\Users\user\Desktop\2.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8084 cmdline: rundll32.exe "C:\Users\user\Desktop\2.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8092 cmdline: rundll32.exe "C:\Users\user\Desktop\2.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8116 cmdline: rundll32.exe "C:\Users\user\Desktop\2.dll",el60p89r7qlkly4p9bfqh7 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 2.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: 2.dllReversingLabs: Detection: 21%
Source: 2.dllVirustotal: Detection: 27%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: 2.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 2.dllString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: loaddll32.exe, 00000000.00000003.1496962487.0000000003E53000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2285695980.0000000006843000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1624853726.0000000006333000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.2227471413.00000000069B3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005DF3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2344318167.0000000006143000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005D83000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2285336657.00000000063B7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1595469970.0000000005FC7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2007177729.0000000005B27000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2344238031.0000000005F77000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1812957570.0000000005997000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://tempuri.org/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://tempuri.org/U
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005D6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 00000003.00000002.2285695980.00000000067B7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1624853726.00000000062A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005D67000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2344318167.00000000060B7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005CF7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
Source: rundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPU
Source: loaddll32.exe, 00000000.00000003.1496962487.0000000003DC7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.0000000006927000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.0000000006237000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPq
Source: rundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: loaddll32.exe, 00000000.00000003.1496962487.0000000003E3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.000000000699D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: loaddll32.exe, 00000000.00000003.1496962487.0000000003E3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.000000000699D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.borland.com/rootpart.xml
Source: 2.dllString found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000000.00000003.1496962487.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2285695980.00000000067B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1624853726.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.0000000006920000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2344318167.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1570620388.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllString found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS

System Summary

barindex
PE file contains section with special chars
Source: 2.dllStatic PE information: section name: JnMC)V\Y
Source: 2.dllStatic PE information: section name: ^Y7EFn!
Source: 2.dllStatic PE information: section name: iNc]]\"c
Source: 2.dllStatic PE information: section name: [kU>6V7E
Source: 2.dllStatic PE information: section name: k@5.o2*)
Source: 2.dllStatic PE information: section name: 30sm=(\
Source: 2.dllStatic PE information: section name: :[$;GcNc
Source: 2.dllStatic PE information: section name: Oq!I-sV/
Source: 2.dllStatic PE information: section name: 29K?RC7R
Source: 2.dllStatic PE information: section name: )?RY!(f(
Source: 2.dllStatic PE information: section name: nZEOaU_@
Source: 2.dllStatic PE information: section name: 'Ga7;<I&
Source: 2.dllStatic PE information: section name: qdN*$pN
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 700
Source: 2.dllStatic PE information: Number of sections : 13 > 10
Source: 2.dllBinary or memory string: OriginalFileName vs 2.dll
Source: 2.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal80.evad.winDLL@25/21@0/0
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\el60p89r7qlkly4p9bfqh7
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8076
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8020
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8092
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7744
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7736
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7ee4ba07-2a36-48fe-852a-cf0472039e54Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",#1
Source: 2.dllReversingLabs: Detection: 21%
Source: 2.dllVirustotal: Detection: 27%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 700
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",el60p89r7qlkly4p9bfqh7
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 704
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2.dll,dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",el60p89r7qlkly4p9bfqh7Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: security.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 2.dllStatic file information: File size 25332736 > 1048576
Source: 2.dllStatic PE information: Raw size of JnMC)V\Y is bigger than: 0x100000 < 0x510c00
Source: 2.dllStatic PE information: Raw size of 29K?RC7R is bigger than: 0x100000 < 0x953000
Source: 2.dllStatic PE information: Raw size of nZEOaU_@ is bigger than: 0x100000 < 0x8fd800
Source: initial sampleStatic PE information: section where entry point is pointing to: nZEOaU_@
Source: 2.dllStatic PE information: section name: JnMC)V\Y
Source: 2.dllStatic PE information: section name: ^Y7EFn!
Source: 2.dllStatic PE information: section name: iNc]]\"c
Source: 2.dllStatic PE information: section name: [kU>6V7E
Source: 2.dllStatic PE information: section name: k@5.o2*)
Source: 2.dllStatic PE information: section name: 30sm=(\
Source: 2.dllStatic PE information: section name: :[$;GcNc
Source: 2.dllStatic PE information: section name: Oq!I-sV/
Source: 2.dllStatic PE information: section name: 29K?RC7R
Source: 2.dllStatic PE information: section name: )?RY!(f(
Source: 2.dllStatic PE information: section name: nZEOaU_@
Source: 2.dllStatic PE information: section name: 'Ga7;<I&
Source: 2.dllStatic PE information: section name: qdN*$pN

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7668 base: 740007 value: E9 EB DF E3 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 7668 base: 7757DFF0 value: E9 1E 20 1C 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7736 base: 6460007 value: E9 EB DF 11 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7736 base: 7757DFF0 value: E9 1E 20 EE 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7744 base: 2E80007 value: E9 EB DF 6F 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7744 base: 7757DFF0 value: E9 1E 20 90 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 3470007 value: E9 EB DF 10 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7920 base: 7757DFF0 value: E9 1E 20 EF 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8020 base: AB0007 value: E9 EB DF AC 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8020 base: 7757DFF0 value: E9 1E 20 53 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8076 base: C70007 value: E9 EB DF 90 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8076 base: 7757DFF0 value: E9 1E 20 6F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: C70007 value: E9 EB DF 90 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8084 base: 7757DFF0 value: E9 1E 20 6F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8092 base: 7E0007 value: E9 EB DF D9 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8092 base: 7757DFF0 value: E9 1E 20 26 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8116 base: 4D0007 value: E9 EB DF 0A 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 8116 base: 7757DFF0 value: E9 1E 20 F5 88 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1BD6EF0
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 222E04D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1B138C8
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1B83E55
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1B2EC14
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1C9BD5E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1C00136
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 1C8C6E6
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 2240039
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 232882E
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exeSpecial instruction interceptor: First address: 1A81567 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2.dll",#1Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		1
Credential API Hooking		321
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524658 Sample: 2.dll Startdate: 03/10/2024 Architecture: WINDOWS Score: 80 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 PE file contains section with special chars 2->37 39 AI detected suspicious sample 2->39 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->45 47 Tries to evade analysis by execution special instruction (VM detection) 8->47 49 Hides threads from debuggers 8->49 51 Switches to a custom stack to bypass stack traces 8->51 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 rundll32.exe 8->16         started        18 6 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->53 55 Hides threads from debuggers 13->55 23 WerFault.exe 16 13->23         started        25 WerFault.exe 20 16 16->25         started        27 WerFault.exe 3 16 18->27         started        29 WerFault.exe 16 18->29         started        process7 signatures8 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->41 43 Hides threads from debuggers 20->43 31 WerFault.exe 2 16 20->31         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2.dll21%ReversingLabs
2.dll28%VirustotalBrowse
2.dll100%AviraHEUR/AGEN.1327619

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
http://www.indyproject.org/0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
http://www.borland.com/namespaces/Types-IWSDLPublish0%VirustotalBrowse
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%VirustotalBrowse
http://www.borland.com/rootpart.xml0%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS0%VirustotalBrowse
http://tools.ietf.org/html/rfc13210%VirustotalBrowse
http://www.schneier.com/paper-blowfish-fse.htmlS0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAPq0%VirustotalBrowse
http://tempuri.org/0%VirustotalBrowse
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap/0%VirustotalBrowse
http://www.itl.nist.gov/fipspubs/fip180-1.htm0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap12/SV0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAP0%VirustotalBrowse
http://www.borland.com/namespaces/Types0%VirustotalBrowse
http://www.movable-type.co.uk/scripts/xxtea.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/soap/#0%VirustotalBrowse
http://www.borland.com/namespaces/TypesA0%VirustotalBrowse
http://www.schneier.com/paper-twofish-paper.pdfS0%VirustotalBrowse
http://schemas.xmlsoap.org/soap/http0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/http/0%VirustotalBrowse
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU0%VirustotalBrowse
http://tempuri.org/U1%VirustotalBrowse
http://www.componentace.com1%VirustotalBrowse
http://tools.ietf.org/html/rfc4648S0%VirustotalBrowse
http://www.borland.com/namespaces/Types-IAppServerSOAPU0%VirustotalBrowse
http://www.ietf.org/rfc/rfc3447.txtS0%VirustotalBrowse
http://schemas.xmlsoap.org/wsdl/mime/0%VirustotalBrowse
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.borland.com/namespaces/Types-IWSDLPublishrundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/soap/encoding/loaddll32.exe, 00000000.00000003.1496962487.0000000003E53000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2285695980.0000000006843000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1624853726.0000000006333000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.2227471413.00000000069B3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005DF3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2344318167.0000000006143000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005D83000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf2.dllfalseunknown
http://tools.ietf.org/html/rfc1321rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/soap/envelope/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalse
  • URL Reputation: safe
unknown
http://www.borland.com/rootpart.xmlrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.schneier.com/paper-blowfish-fse.htmlSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://tempuri.org/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2285336657.00000000063B7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1595469970.0000000005FC7000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2007177729.0000000005B27000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2344238031.0000000005F77000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1812957570.0000000005997000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://upx.sf.netAmcache.hve.8.drfalse
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.indyproject.org/loaddll32.exe, 00000000.00000003.1496962487.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2285695980.00000000067B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1624853726.00000000062A0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.0000000006920000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005D60000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2344318167.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000003.1570620388.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005CF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalse
  • URL Reputation: safe
unknown
http://tools.ietf.org/html/rfc4648Srundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPqloaddll32.exe, 00000000.00000003.1496962487.0000000003DC7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.0000000006927000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.0000000006237000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://schemas.xmlsoap.org/wsdl/soap12/SVrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.itl.nist.gov/fipspubs/fip180-1.htmrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/soap/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.borland.com/namespaces/TypesAloaddll32.exe, 00000000.00000003.1496962487.0000000003E3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.000000000699D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPrundll32.exe, 00000003.00000002.2285695980.00000000067B7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1624853726.00000000062A7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2015818434.0000000005D67000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2344318167.00000000060B7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005CF7000.00000004.00001000.00020000.00000000.sdmpfalseunknown
http://www.movable-type.co.uk/scripts/xxtea.pdfSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.borland.com/namespaces/Typesrundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1840001168.0000000005D6D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/soap/httprundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/soap/#rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.schneier.com/paper-twofish-paper.pdfSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/http/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://tempuri.org/Urundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalse
  • URL Reputation: safe
unknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfUrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.componentace.com2.dllfalseunknown
http://schemas.xmlsoap.org/wsdl/mime/rundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.borland.com/namespaces/Types-IAppServerSOAPUrundll32.exe, 00000003.00000002.2269833630.0000000005130000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004D40000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.00000000048A0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.0000000004CF0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004710000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown
http://www.borland.com/namespaces/Typesaloaddll32.exe, 00000000.00000003.1496962487.0000000003E3D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2227471413.000000000699D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1570620388.00000000062AD000.00000004.00001000.00020000.00000000.sdmpfalse
    		unknown
    http://www.ietf.org/rfc/rfc3447.txtSrundll32.exe, 00000003.00000002.2269833630.0000000004C21000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1523019142.0000000004831000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.1964605016.0000000004391000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2342118339.00000000047E1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1762543350.0000000004201000.00000020.00000001.01000000.00000003.sdmp, 2.dllfalseunknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1524658
    Start date and time:2024-10-03 03:29:17 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 59s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:30
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:2.dll
    Detection:MAL
    Classification:mal80.evad.winDLL@25/21@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .dll

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.73.29, 20.42.65.92, 20.189.173.20, 52.168.117.173
    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    21:30:25API Interceptor1x Sleep call for process: loaddll32.exe modified
    21:30:27API Interceptor5x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_53e1308958a019487894c36c9c40509d90c1f14e_7522e4b5_b757a58f-6c36-49f5-a16f-63f452ac5681\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9475649112031992
    Encrypted:false
    SSDEEP:192:K5DiTOVkd0BU/wjeTGkuzzuiFOZ24IO8dci:kiaVkeBU/wjeyzuiFOY4IO8dci
    MD5:E55DC8FE1A879648A1C5BD112834C13A
    SHA1:472C7F5EEA111C0F21EC9B001578CEADABD42B48
    SHA-256:54EEE13B8C24B3F6F0C57C49359265CD0E6CFD054DF379A3E6C42709A7E4F429
    SHA-512:716D11F68FEC07256D1518B7BD29A4E857B2051336F7F05C8B7BFD0510114CD2951F1081029DF8FBE6B828B3F79EB425DFBFAF56B6FBD13AD7FB735C9AF27009
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.1.2.7.7.2.6.6.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.1.5.2.7.2.6.6.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.5.7.a.5.8.f.-.6.c.3.6.-.4.9.f.5.-.a.1.6.f.-.6.3.f.4.5.2.a.c.5.6.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.d.6.1.b.b.8.-.1.7.8.5.-.4.5.e.5.-.a.d.f.5.-.8.a.7.0.c.b.a.8.6.f.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.4.0.-.0.0.0.1.-.0.0.1.4.-.d.e.c.1.-.d.6.c.9.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_53e1308958a019487894c36c9c40509d90c1f14e_7522e4b5_be529bbd-7f5d-4324-97d9-3e45dca62056\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9475638137216515
    Encrypted:false
    SSDEEP:192:NA/BigOH7kd0BU/wjeTGkuzzuiFfZ24IO8dci:W/BiRbkeBU/wjeyzuiFfY4IO8dci
    MD5:56D271BBDB07D38D7DB3FFF5EB622A38
    SHA1:A7DC833E3E4E65A8558951E27FFA8EFF19D04E84
    SHA-256:71AD0BC6217007C35338E40B0109FC5AB0FF4C5010D3ADC29BCF45BC9DA3996D
    SHA-512:EDFFC41449CAAE98DD86EC8CC301F2FACFFACC97442F0543D57A9D9C1376AFE71D61BFA3166EF6D6ABD1E6AE05FF330EA5637FF7AA9C727AA4F4B37C9FD91168
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.7.0.8.3.7.5.4.1.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.7.0.9.2.1.9.1.5.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.5.2.9.b.b.d.-.7.f.5.d.-.4.3.2.4.-.9.7.d.9.-.3.e.4.5.d.c.a.6.2.0.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.0.5.a.e.b.0.-.6.a.3.a.-.4.b.7.4.-.b.2.f.9.-.f.5.2.b.9.a.8.2.8.5.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.e.8.e.9.-.2.a.d.2.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_831687f7f7938eade7f77ba4ef88496c08766ae_7522e4b5_55440433-290a-4c4a-ba07-bb7dc2e976b8\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9534154883123037
    Encrypted:false
    SSDEEP:192:itiJOGdkn0BU/wjeTGkuzzuiFOZ24IO84ci:cigUk0BU/wjeyzuiFOY4IO84ci
    MD5:F2858DC7DB5EDD9BEB6AE00A74206B81
    SHA1:8B45F3BAE8E3676D368B7587133CCC2E016E434A
    SHA-256:DFE95158F7CB31DC7082EE75445BCEC45F7FDDBDBFC8EDC40AB4792D809F74F5
    SHA-512:EEEBDC60425A54B3D85627EB2DECF28721C7679B95E97A0AA75A6CA8169B93CD8E0696A21744B5EF340AFE78947C965F446825D1878C844D77941E1B40B219BA
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.3.7.0.8.6.8.2.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.4.1.1.8.0.6.4.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.4.4.0.4.3.3.-.2.9.0.a.-.4.c.4.a.-.b.a.0.7.-.b.b.7.d.c.2.e.9.7.6.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.8.3.c.a.7.9.-.9.0.4.5.-.4.0.9.b.-.9.6.5.0.-.6.d.6.6.0.1.5.a.8.a.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.9.c.-.0.0.0.1.-.0.0.1.4.-.2.6.7.f.-.3.4.d.2.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_831687f7f7938eade7f77ba4ef88496c08766ae_7522e4b5_72529658-55d3-476e-830d-f70c28ef646f\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9530280311573242
    Encrypted:false
    SSDEEP:192:SgiJRIOFYKkn0BU/wjeTGkuzzuiFOZ24IO84ci:hiJR5F9k0BU/wjeyzuiFOY4IO84ci
    MD5:EE51AA3E0780A6179D356344770A4A19
    SHA1:065588461653837CE236B3AC1F9F74A0D9DC137A
    SHA-256:A7303CD5C6838EA7ED5FE03C5DDA06F35BBAEEA84AC6A98BF62890B8DBE83E6D
    SHA-512:7A1CE8B8019394FE958D8BEEAAB9265A440A6A2CAAE60A4BE12AA57D6319B31397B32CE3EC812FD5E5A11FE032C560AE38DDDA9EBE7DB73EADD530AA091A5E03
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.6.0.2.6.8.5.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.6.3.5.8.1.2.8.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.5.2.9.6.5.8.-.5.5.d.3.-.4.7.6.e.-.8.3.0.d.-.f.7.0.c.2.8.e.f.6.4.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.3.4.e.4.6.3.-.7.4.d.2.-.4.7.b.c.-.a.2.6.1.-.4.e.3.c.4.1.e.7.5.6.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.4.-.0.0.0.1.-.0.0.1.4.-.9.e.a.7.-.7.d.c.d.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_831687f7f7938eade7f77ba4ef88496c08766ae_7522e4b5_ad73f3d2-a52d-4cb4-8262-3cdedee6766d\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9526576603295984
    Encrypted:false
    SSDEEP:192:X+UvoEimOykn0BU/wjeTGkuzzuiFfZ24IO84ci:X+0oEinyk0BU/wjeyzuiFfY4IO84ci
    MD5:68FF33C0AF56BE0338954F46CFEA4486
    SHA1:12F65881D530D2DD0B3D19E4318EA56C4C1D2125
    SHA-256:FC69C46EB941B11E46BBB5B5E7A49759A6AFA82251760095D4F9AA9A9D1DD107
    SHA-512:E2840D0CB3A50D8E694C636F2E8084C6133C6ADF2B4BC1266BD7294093B0E5B17C126EB22384D2E42F949828FA9C0F145570584CF0B39585CE2A99CEDCCA3740
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.9.2.6.9.8.0.5.0.6.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.9.2.6.9.9.3.0.0.6.1.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.7.3.f.3.d.2.-.a.5.2.d.-.4.c.b.4.-.8.2.6.2.-.3.c.d.e.d.e.e.6.7.6.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.9.1.7.d.7.0.-.c.e.0.7.-.4.a.9.4.-.b.8.3.c.-.6.d.f.b.e.3.d.8.1.e.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.8.-.0.0.0.1.-.0.0.1.4.-.c.c.b.3.-.d.6.c.9.3.3.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A2E.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:30:13 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):44344
    Entropy (8bit):2.059009813085946
    Encrypted:false
    SSDEEP:192:J6eeuvfuXI9F4oiXO5H4hAkGzpTZiwUtdni/lwjUV19VXQ+dHs7:Cuvfz2oL5H62wm19ts
    MD5:40BFF2CD5B52C18AA6F5F16A93BC0EFD
    SHA1:B1951CC2FB00409084AA39E3D1E8D8B7688140DF
    SHA-256:0763B6C9B6376EE81633A4F95E7EFD085EF1356A268C83B812D71D77DEE7409F
    SHA-512:7AA3ADF0A05B73964F6D3BFDC27A6619857D318A66783E0D0D675F95EBFF57DDD768FB4D31A5A4949A2685EEB54FC9589BB3475334E494422FB5FCDC7309F0CA
    Malicious:false
    Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.......@......f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DB9.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8274
    Entropy (8bit):3.692360545512801
    Encrypted:false
    SSDEEP:192:R6l7wVeJVJ6fLU6YdI6agmfTodYtprt89bMSsf4fkm:R6lXJb6A6Yy6agmfTodYaMRfk
    MD5:56B4832C2A95B24B3BF7AE6A3750AABF
    SHA1:5337B4B9F816DDF492E7107FA998F04DFFAF7FD7
    SHA-256:32D2776B2065B58B2A039364D64F31A163DE9969F80D007EFBF60E3F93758A85
    SHA-512:69BB08A6037FDDD7C04E5F969CF5668E63FE7E521FAC8D1C46B63E3EE57C42BCEA2F6D32DACE4DFBD0ABCBE371363D853EB2DD7D2629FDA0A8E3C7217B9B6FC8
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.4.4.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E57.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4632
    Entropy (8bit):4.447604178360685
    Encrypted:false
    SSDEEP:48:cvIwWl8zsfJg77aI9fkWpW8VYEYm8M4JCdPAmvFp+q8/gNI8OGScSvd:uIjfBI7N97V4J83oRJ3vd
    MD5:CFF829218C07FB8DE0F91C4BB95D0D37
    SHA1:18B32811B34A91660016512D5CA1977D7B35E743
    SHA-256:C57381A5E105F62D9D6543C25C11413320C71362AB5ABC050B134458D06E60AE
    SHA-512:00FA1CB3536821AFDC313113CF01272F91051972D579D789EE88204C6A1343A4BF1EE0BFDE4B08682105F39056092B641622C99F4965B9DD8C26C87D81347E4F
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526592" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER774F.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:31:38 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):45828
    Entropy (8bit):1.9848245406299039
    Encrypted:false
    SSDEEP:192:WT1uvfuX/96xXO5H4690Y3WhG/jHvqIM7/iNyey6ZS:+uvfK6k5HH0YKG/jHvqIM7/eZ
    MD5:927FA370C11FE4C7600833C11E2395AC
    SHA1:11EE197647AD5BCA94E1BE7B2BA7B2439A9F9BE4
    SHA-256:598863C54207AFDE3BDBA7493C9D3B4FA9B14046373AE401C81AD03354EF7574
    SHA-512:2CBA3F42C777661D29ADDDDA2F4E25FE25847FE9D84F09F91A5327AD93B28768863558E88F6C0940A84A66DA187BD6C957D2B8ED9BD25AAFA799DE0C7A92E812
    Malicious:false
    Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.......8......f%............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER781C.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8332
    Entropy (8bit):3.6893734370921094
    Encrypted:false
    SSDEEP:192:R6l7wVeJwG6cLRy26YBO6cgmf8zdYtprz89bsYsf019km:R6lXJZ6My26YY6cgmf8zdY0sLfEb
    MD5:3E1B59595625E593829FECFF4837C90C
    SHA1:81021895C23501A46876BEFAB1F798A8F0EEFDD0
    SHA-256:381DD00F7D7D18301CFC2A10A9AA0BAED6648B1A04439CEB117CE5618340A358
    SHA-512:02A5BCC274E06FF0958D141AD79E169B98E26462EA2ACF81E7E4872502A2D7341534E9F99FAB5EAC716B7CAD8406FBB3B4ABD6EB350C8F2A291FE29269A04742
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.6.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER783C.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4733
    Entropy (8bit):4.439080388505104
    Encrypted:false
    SSDEEP:48:cvIwWl8zs9Jg77aI9fkWpW8VYpYm8M4JCdPAgFVFX+q8vjPAgFmhGScSud:uIjfXI7N97VFJCRKfchJ3ud
    MD5:6F24EBAC3F56BC8378E5DD982BD865C7
    SHA1:A430461E58F3155028A4F72417724C6D65DA61B8
    SHA-256:1E06E59D4BBD4DDBE4F297FFC9716CBDCB758C16681DECDC4BB41CD1B95A3C7C
    SHA-512:75301A306825738B069AE1C67159FCCA0B170C73E07AA965955C0CF29054D8636581E10849CE0F704A481E792B709FB62C7AA3C3DA16FD45B6F51DF7D40BB60F
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8975.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:30:37 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):43804
    Entropy (8bit):2.0176453721921424
    Encrypted:false
    SSDEEP:192:B3juvfuXn9PYXO5H4nnL6TP/q2dVxWHDgzgfvC:FuvfqN5H0LuHDbWPfv
    MD5:748D96CA042C53219413FC66AC7DD036
    SHA1:CC6D9CD80532B43C7CBC1B223B7459D3FF625070
    SHA-256:B865E8306104BC33203131F5CAEACBFAFB8BFC52F99E78C291E760CAAD44D4C2
    SHA-512:5DBB1B14E71C28937B741B33A84ACF360D89C08ABF8988F747710C7260A78FA8E848AC4C54EE09BC24101A0F5C063CC419E684C34450F981F3BD5895E92BFE1C
    Malicious:false
    Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...............d...........L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C25.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8362
    Entropy (8bit):3.688287366146016
    Encrypted:false
    SSDEEP:192:R6l7wVeJe862LB6YdW6ADkgmf8zdYtpr689bqhsfcOm:R6lXJt606YM6AAgmf8zdYzqaf8
    MD5:E91F9DA29AC293FAEDE490CCB7FB9A29
    SHA1:C85C57845AF797B2F2DDF95F9D300FA257A13054
    SHA-256:59242CDE99187223F25D2B12C1027C88D3F76F918FFD6BE2B70DA402AB5198C8
    SHA-512:B0E11AE4A533A4F912A4C27DD4F572E1F9B057B090F26F7C7CA917AE2C0155A091D0583055D9613B5A2D9FC60E737E458F561A9602A07024CDCFA36D925A1233
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.9.2.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6E.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4733
    Entropy (8bit):4.438519536575563
    Encrypted:false
    SSDEEP:48:cvIwWl8zswJg77aI9fkWpW8VY1oYm8M4JCdPAgFVF3+q8vjPAgFTGScSFd:uIjf2I7N97VSFJCJKftJ3Fd
    MD5:4CED598CC7247EE7592DCF3878936B07
    SHA1:E726C85F2DFB00C45D53AC49E270445936BCBF75
    SHA-256:BD30395AE24C17528B2C9A7D2C1DC9E88991768B7F71A575F64E7A8D0C064687
    SHA-512:7CD10AA0A45DC5E19B482CE52B9FC7164F71408417540D574B5A80DAE368ED144B198DAA4B175276F958485C7173096BAD6BFD85313B8F160DB0595F734D36A5
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526593" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA005.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:31:48 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):46616
    Entropy (8bit):1.9791790146791477
    Encrypted:false
    SSDEEP:192:VfJuvfuXT9nI2XO5H4FbV0zcXlat3o2NN+Z+tGD:HuvfunIX5H+OzfNP
    MD5:D44FE8CF227D1D2FE6A15636E59BF27F
    SHA1:397CF0882C0750A5FE6F8C61C81C4AE77138C9BF
    SHA-256:22E060961D75A3C2FF5FFBB20A4DEF362C34038B698A02D4ED438F57E80533DC
    SHA-512:9CB13507C126B3730DCC53F6B8693CEE2E39A11E894581EB492F91426C98BB370C31EDE78758D47493B700907977E9E14B0E6C4108ECBEA89A937352903EA87A
    Malicious:false
    Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...............`...........L...........8...............................................................................eJ..............GenuineIntel............T..............f)............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1BC.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8270
    Entropy (8bit):3.6929752240139324
    Encrypted:false
    SSDEEP:192:R6l7wVeJ0i6iLbd6YVg6AQ6gmfTodYtprv89bLNsfrk5m:R6lXJ56w6Yi6ANgmfTodYALGfrX
    MD5:9891C0799D4DC8D24CD7725DB93C5C5C
    SHA1:99140ED622A322073A5DEEF4054B1C11196B62F7
    SHA-256:AFBCB51B53D097ED17B3BCE016DCEEEC07869380A5208FE1BEBEC235166266B3
    SHA-512:799646C0F9274E8D830442630F9F9C7802E609428D31D7ACE4583E2A43B1893C20C487FA6F00DB6CBE63E732B502C1D7059F0712367CEC3FA73D398AB9C174A1
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1DC.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4632
    Entropy (8bit):4.448441138633852
    Encrypted:false
    SSDEEP:48:cvIwWl8zs9Jg77aI9fkWpW8VYSYm8M4JCdPAmvF++q8/gNIWzGScSeMd:uIjfXI7N97VCJ8woWzJ37d
    MD5:2549EED2C0C7E5DDA1FF9B5C59776EEF
    SHA1:16BD75A464265587B21D86F959F3A817A8F9FCE9
    SHA-256:1EAE0677D3042827BC5A619D7DBD03738B473A12CC20F73663134548911EFBE7
    SHA-512:D656765EF46572B60E2B06853549CEEEF6FED72E3CFD2B7ED6807DCA9EE4E7F3C799FC3760717FDD22E81D0F25FBBF8F750168B6D11EA6663B0D2498EBF531F6
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE541.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 01:31:01 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):45068
    Entropy (8bit):1.9612283184488863
    Encrypted:false
    SSDEEP:192:ZPsuvfuXM9QPAaXO5H4Qpvw8OL/oBJ6GbtmXeLgHw+Aumm:yuvfbhj5HaDboBtmS
    MD5:4774252800B51D2AB769A59A144D8CC7
    SHA1:CF25FEF7438AACE6DFC7BBAA6E8A0AD53C16B793
    SHA-256:546CA57ACF14044F12D8D5D4512E9407DF4737398360EE25D0801BB4977D7E4D
    SHA-512:A53A5EB1AF4A074B76864D09E245219E3945DD7677F3EB3547E76EDE95DD8CC15A8F3A290CF3E2DEC6E0A2870025BAF9AC5649B6D9EF40C5D1A82566599A0CA2
    Malicious:false
    Preview:MDMP..a..... ..........f........................................N/..........T.......8...........T...............T...........L...........8...............................................................................eJ..............GenuineIntel............T.......T......f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6E8.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8338
    Entropy (8bit):3.687920493076239
    Encrypted:false
    SSDEEP:192:R6l7wVeJ3f6OLE6YV56AQmgmf8zdYtprF89b+PsfIKm:R6lXJP6p6Y76AJgmf8zdYi+0f0
    MD5:F3B947B3E35986090F40C4164C0DCECA
    SHA1:D749EE3746BE57208D89B88209C2380033049F62
    SHA-256:A8F8E224A45E141CFCBAF79AC24C2F946D7B4F86E090391FD044EC53622D46CA
    SHA-512:8564DD0466FBC25E407DE4B1BC30D704E567610A97A4DE8BA37A99C3A19150610B8BD1D99B943FAC1FA88151BA3106977E14FD68B322005B9CC61B785A4F859B
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.2.0.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE756.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4733
    Entropy (8bit):4.4383197299902255
    Encrypted:false
    SSDEEP:48:cvIwWl8zswJg77aI9fkWpW8VY4Ym8M4JCdPAgFVFc+q8vjPAgFOhGScSwd:uIjf2I7N97VUJCiKfYhJ3wd
    MD5:5AD932476FA798C7A44EA1B72EF8D692
    SHA1:78D7E3A12EE5D88A5F7B2781E9E82109950C5C4C
    SHA-256:EF2488D5C78FBE0B1199FB278847346E68151CD95EF04D4056084E32F831ED52
    SHA-512:2A7030582415361E70F170E1245505A711E579ED8061DD27268719174B4B2F90CB2938AF01E870135F2849FF58DC13B24A925D1352EB5D5D5DDD0D9A9CB73291
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526593" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1835008
    Entropy (8bit):4.394711908138917
    Encrypted:false
    SSDEEP:6144:5l4fiJoH0ncNXiUjt10qCG/gaocYGBoaUMMhA2NX4WABlBuNAyOBSqa:P4vFCMYQUMM6VFYSyU
    MD5:DB7F530424D93417D25A50B6A96CA638
    SHA1:7D39C765F22F218B89137D4B2EB6F9EEDE324CCB
    SHA-256:69E8993FB4ABAEF3B0EA9114F2BAA4D151FAF33344CDFDDA266F8554090FF890
    SHA-512:8F67CA2EBAD1C68D9F0FBC5DA9045BA3ACCA730FC5A3339644EE90629069CA5FD6958FF85DF48EC9BDAD176A1E96586FB6775EE491B13D255CFD606187CDBD06
    Malicious:false
    Preview:regfK...K....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....3...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.386332108757452
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.40%
    • Win16/32 Executable Delphi generic (2074/23) 0.21%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:2.dll
    File size:25'332'736 bytes
    MD5:dfce8512ab710f06ced8b1d279d487bb
    SHA1:7abd0e2a549764d36de102a657c02aa43dbc30d7
    SHA256:9973dbdd3136f591baa4cb189398baca56da52267f5b7d31678cf412c2781edd
    SHA512:a8bd525ecabd546bb85dcf463599182af7b71bae0e95b0de8cc998b4f6e5016c756fe7cfc0f4cc2498e255c4ef93d06dc66c1911f852c6fe8b05645a40da2032
    SSDEEP:393216:U5HR7h+9O9ALSbxLt0nZJ69m91obdDcX9APs69D:PLMw6MshDcX9Ak+
    TLSH:7A470257728A80FED0861D758A3BE3D1163BF67129068C6B3BD4290C5F31FA1653EA87
    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x1509eb5
    Entrypoint Section:nZEOaU_@
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
    DLL Characteristics:
    Time Stamp:0x66FDC5A7 [Wed Oct 2 22:13:59 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:9a6d12fce3bb7f25c3b57d1fb6ad19d7

    Entrypoint Preview

    Instruction
    call 00007F0800692237h
    inc ecx
    mov edx, 913A88A2h
    call 00007F08006B5D30h
    inc ebp
    mov edi, dword ptr [ecx]
    inc esp
    movzx esp, byte ptr [ebp+00h]
    call 00007F08004DDCDDh
    btc eax, eax
    xor bl, dl
    sub eax, ecx
    sal eax, cl
    adc cl, cl
    adc edx, esp
    xor al, byte ptr [edx+eax-39000000h]
    mov edx, ecx
    mov dx, ax
    movzx dx, dl
    dec ecx
    lea eax, dword ptr [CC2B06BEh+ecx*4]
    mov al, byte ptr [esi+00h]
    sub cx, F78Dh
    or cl, cl
    and dl, al
    movzx eax, cx
    push ecx
    not dl
    add ecx, ecx
    call 00007F0800D1B594h
    mov ecx, 8B039085h
    jmp 00007F08006C98F3h
    bswap edx
    inc ecx
    or ah, 0000000Fh
    dec eax
    mov dword ptr [esp+ecx-0610269Fh], 00A3779Dh
    jo 00007F0800690CFBh
    ror edx, 02h
    cbw
    inc esp
    movzx ebp, al
    lea edx, dword ptr [ecx+edx-4DBD23CFh]
    dec edx
    lea edi, dword ptr [ecx+edi+59929112h]
    dec esp
    mov dword ptr [esp+ecx-0610268Fh], esi
    inc eax
    sub bh, byte ptr [esp+ecx-06102693h]
    xor dword ptr [esp+ecx*2-0C204D2Eh], edx
    dec esp
    mov esi, dword ptr [esp+ecx-0610268Fh]
    inc esp
    movzx edx, al
    dec eax
    arpl dx, dx
    call 00007F08004E878Ah
    dec edx
    lea ebp, dword ptr [ebp+ebx*4+06h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x5430000xc0:[$;GcNc
    IMAGE_DIRECTORY_ENTRY_IMPORT0xeddf140x168nZEOaU_@
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x17970000x2ebf4'Ga7;<I&
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x17c60000x7475cqdN*$pN
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xe980000x8c)?RY!(f(
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10bcac00x1e0nZEOaU_@
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    JnMC)V\Y0x10000x510aec0x510c00c2f92585819b59a3528e8f0dd881cae3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    ^Y7EFn!0x5120000x40b00x420023e79826ee3cc9d222767b00dcc51022False0.4947916666666667data6.078247956019308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    iNc]]\"c0x5170000x1a59c0x1a60004a59889bbcfa2f14544474b63fc12d2False0.4634182464454976data6.750500670886289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    [kU>6V7E0x5320000xa0800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    k@5.o2*)0x53d0000x42400x4400b5d081c50edd3672d9dfcb165f1c53d3False0.9450252757352942data7.793922838488285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    30sm=(\0x5420000xd7c0xe003b04cf9e391cccd5f7e8cd9500478825False0.34402901785714285data4.28408239924825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    :[$;GcNc0x5430000xc00x2004b4f537ee4a567db067f87892329101fFalse0.330078125data2.4266205041773423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    Oq!I-sV/0x5440000x450x2004ae75964954652113b5bc6e6bf8e2eecFalse0.158203125ASCII text, with no line terminators1.1775367479159162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    29K?RC7R0x5450000x952f710x9530000f3a6161d998552dfdeef82b8391f0e3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    )?RY!(f(0xe980000xa40x200c9b8cb77cb12759f6115f291c67c66dbFalse0.193359375data1.1982890839614144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    nZEOaU_@0xe990000x8fd6300x8fd800e37984b5ce0c29e0fd5667196610d2b4unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    'Ga7;<I&0x17970000x2ebf40x2ec00e9eb39f6f226e6156bae4db053aaf6efFalse0.21951767212566844data5.2471275281035785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    qdN*$pN0x17c60000x7475c0x74800421eaf97537166290cf478b172d288eaFalse0.5587760696083691data6.721192597891817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_CURSOR0x17995bc0x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x17996f00x134dataEnglishUnited States0.4642857142857143
    RT_CURSOR0x17998240x134dataEnglishUnited States0.4805194805194805
    RT_CURSOR0x17999580x134dataEnglishUnited States0.38311688311688313
    RT_CURSOR0x1799a8c0x134dataEnglishUnited States0.36038961038961037
    RT_CURSOR0x1799bc00x134dataEnglishUnited States0.4090909090909091
    RT_CURSOR0x1799cf40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
    RT_CURSOR0x1799e280x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x1799f5c0x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a0900x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a1c40x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a2f80x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a42c0x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a5600x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a6940x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a7c80x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179a8fc0x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179aa300x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179ab640x134dataPortugueseBrazil0.12012987012987013
    RT_CURSOR0x179ac980x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
    RT_BITMAP0x179adcc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
    RT_BITMAP0x179af9c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
    RT_BITMAP0x179b1800x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
    RT_BITMAP0x179b3500x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
    RT_BITMAP0x179b5200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
    RT_BITMAP0x179b6f00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
    RT_BITMAP0x179b8c00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
    RT_BITMAP0x179ba900x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
    RT_BITMAP0x179bc600x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
    RT_BITMAP0x179be300x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
    RT_BITMAP0x179c0000xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
    RT_BITMAP0x179c0c00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
    RT_BITMAP0x179c1a00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
    RT_BITMAP0x179c2800xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
    RT_BITMAP0x179c3600xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
    RT_BITMAP0x179c4200xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
    RT_BITMAP0x179c4e00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
    RT_BITMAP0x179c5c00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
    RT_BITMAP0x179c6800xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
    RT_BITMAP0x179c7600xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
    RT_BITMAP0x179c8200xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
    RT_STRING0x179c9000x3e8data0.4
    RT_STRING0x179cce80x538data0.34505988023952094
    RT_STRING0x179d2200x654data0.2580246913580247
    RT_STRING0x179d8740xa38data0.27446483180428133
    RT_STRING0x179e2ac0x974data0.2756198347107438
    RT_STRING0x179ec200x50cdata0.34365325077399383
    RT_STRING0x179f12c0x440data0.4108455882352941
    RT_STRING0x179f56c0x46cdata0.39399293286219084
    RT_STRING0x179f9d80x3f0data0.38591269841269843
    RT_STRING0x179fdc80x488data0.30689655172413793
    RT_STRING0x17a02500x494data0.32849829351535836
    RT_STRING0x17a06e40x604data0.30324675324675326
    RT_STRING0x17a0ce80x414data0.407088122605364
    RT_STRING0x17a10fc0x31cdata0.46608040201005024
    RT_STRING0x17a14180x43cdata0.34870848708487084
    RT_STRING0x17a18540x768data0.36550632911392406
    RT_STRING0x17a1fbc0x438data0.39814814814814814
    RT_STRING0x17a23f40x4c4data0.37540983606557377
    RT_STRING0x17a28b80x44cdata0.3927272727272727
    RT_STRING0x17a2d040x574data0.37822349570200575
    RT_STRING0x17a32780x3f4data0.4150197628458498
    RT_STRING0x17a366c0xe04data0.24442586399108138
    RT_STRING0x17a44700xb40data0.2635416666666667
    RT_STRING0x17a4fb00xae4data0.3134863701578192
    RT_STRING0x17a5a940x8acdata0.3063063063063063
    RT_STRING0x17a63400x798data0.2890946502057613
    RT_STRING0x17a6ad80x4d0data0.4082792207792208
    RT_STRING0x17a6fa80x44cdata0.3836363636363636
    RT_STRING0x17a73f40x4b0data0.365
    RT_STRING0x17a78a40x43cdata0.39206642066420666
    RT_STRING0x17a7ce00x3a8data0.4230769230769231
    RT_STRING0x17a80880x3a0data0.4040948275862069
    RT_STRING0x17a84280x40cdata0.4015444015444015
    RT_STRING0x17a88340x3f8data0.42322834645669294
    RT_STRING0x17a8c2c0x374data0.39819004524886875
    RT_STRING0x17a8fa00x378data0.33783783783783783
    RT_STRING0x17a93180x2e0data0.4470108695652174
    RT_STRING0x17a95f80x3ecdata0.3396414342629482
    RT_STRING0x17a99e40x3f4data0.3824110671936759
    RT_STRING0x17a9dd80x448data0.38321167883211676
    RT_STRING0x17aa2200x3e8data0.427
    RT_STRING0x17aa6080x134data0.6006493506493507
    RT_STRING0x17aa73c0xccdata0.6764705882352942
    RT_STRING0x17aa8080x23cdata0.486013986013986
    RT_STRING0x17aaa440x2a0data0.48214285714285715
    RT_STRING0x17aace40x3f4data0.3705533596837945
    RT_STRING0x17ab0d80x3b8data0.38130252100840334
    RT_STRING0x17ab4900x560data0.32848837209302323
    RT_STRING0x17ab9f00x2b4data0.30057803468208094
    RT_STRING0x17abca40x37cdata0.4327354260089686
    RT_STRING0x17ac0200x49cdata0.39152542372881355
    RT_STRING0x17ac4bc0x4f8data0.39544025157232704
    RT_STRING0x17ac9b40x404data0.3667315175097276
    RT_STRING0x17acdb80x384data0.33666666666666667
    RT_STRING0x17ad13c0x410data0.3836538461538462
    RT_STRING0x17ad54c0x2f0data0.3896276595744681
    RT_STRING0x17ad83c0xc0data0.625
    RT_STRING0x17ad8fc0x9cdata0.6282051282051282
    RT_STRING0x17ad9980x380data0.4341517857142857
    RT_STRING0x17add180x498data0.29336734693877553
    RT_STRING0x17ae1b00x2f8data0.45263157894736844
    RT_STRING0x17ae4a80x2f0data0.3776595744680851
    RT_STRING0x17ae7980x3c0data0.259375
    RT_RCDATA0x17aeb580x10data1.5
    RT_RCDATA0x17aeb680x1c20data0.54375
    RT_RCDATA0x17b07880x2dataEnglishUnited States5.0
    RT_RCDATA0x17b078c0xf86Delphi compiled form 'Tap5w0a6q86ji4ej8a40980h93sr'0.3505284348263714
    RT_RCDATA0x17b17140x43bDelphi compiled form 'Tapdtucbw5xbi23bimpb42egk92e'0.556786703601108
    RT_RCDATA0x17b1b500x146cDelphi compiled form 'Tdwc008qe4tj113u0k09o4r4p71u1hmx9'0.2702754399387911
    RT_RCDATA0x17b2fbc0x7eaDelphi compiled form 'Teugtjy670flmd91p2y74zwr679de3s'0.49654491609081935
    RT_RCDATA0x17b37a80x168dDelphi compiled form 'Tggknwc61wds83xe1o17xy07x7dky3rr27ecs39sw'0.2943010566429932
    RT_RCDATA0x17b4e380x2f2Delphi compiled form 'Thn6og7ebnr1k0b4329n1t9x0oy3e8487kx0i7g0'0.6127320954907162
    RT_RCDATA0x17b512c0x158eDelphi compiled form 'Titim86xn0zat3its8dcet3oit02s4c1o948r100cb'0.29358463211308444
    RT_RCDATA0x17b66bc0xfa4Delphi compiled form 'Tiyie9b8a1p5cm2zi0p3iwg708ks2iz'0.2887112887112887
    RT_RCDATA0x17b76600x54dDelphi compiled form 'Tmm3473b095of0damtj4j0s75x6qef560mi85zz90p'0.5696389093588798
    RT_RCDATA0x17b7bb00x1e2aDelphi compiled form 'Tnr9m1l3ws20a7qjp65kkx53d3enmo5710k54uc'0.4698264698264698
    RT_RCDATA0x17b99dc0x388Delphi compiled form 'Tpt1hghhcjc01j2ajcb07wjek7h3jl'0.5907079646017699
    RT_RCDATA0x17b9d640x107eDelphi compiled form 'Tqu6k0q18g5e0fio70pe5memz064425ktgha07'0.3128848886783515
    RT_RCDATA0x17bade40x436aDelphi compiled form 'Tst2n144yi80drhk2b3k6lc956h10j7eaa62r7'0.2076718043805771
    RT_RCDATA0x17bf1500x1dceDelphi compiled form 'Tsz0poi23b8za312kwzo1brso7a000nxfq096f90ek'0.26749672346002623
    RT_RCDATA0x17c0f200x12beDelphi compiled form 'Ttd3pf56ox3x6m1e9qa6n2hzlhzpp6760y062jnh0i'0.3170070862859525
    RT_RCDATA0x17c21e00xcc6Delphi compiled form 'Ttdcqj0357qj6008l0fwf9lr6e6h85iy1'0.3507645259938838
    RT_RCDATA0x17c2ea80x110eDelphi compiled form 'Ttr7hesc5e3540pp208hi721u318'0.3142464498396702
    RT_RCDATA0x17c3fb80xb6fDelphi compiled form 'Twol826y610n5sm2145pe0436u04g0'0.38674410659378206
    RT_RCDATA0x17c4b280x12cDelphi compiled form 'Txg8f0cpao836qn2l3l6ar97c28i073jx'0.7566666666666667
    RT_RCDATA0x17c4c540xaa5Delphi compiled form 'Txldur2g840ik0e4f7674jls800zztjbw'0.41100917431192663
    RT_RCDATA0x17c56fc0x14fDelphi compiled form 'Txs14330inca8zmcl1jj9i7rm07221bsgx'0.746268656716418
    RT_GROUP_CURSOR0x17c584c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.25
    RT_GROUP_CURSOR0x17c58600x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58740x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58880x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c589c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58b00x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58c40x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58d80x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c58ec0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c59000x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c59140x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c59280x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c593c0x14Lotus unknown worksheet or configuration, revision 0x1PortugueseBrazil1.3
    RT_GROUP_CURSOR0x17c59500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x17c59640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
    RT_GROUP_CURSOR0x17c59780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x17c598c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x17c59a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x17c59b40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x17c59c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_VERSION0x17c59dc0x218dataEnglishUnited States0.47761194029850745

    Imports

    DLLImport
    winmm.dllPlaySoundW
    wininet.dllInternetCloseHandle
    comctl32.dllFlatSB_SetScrollInfo
    shell32.dllShell_NotifyIconW
    user32.dllDdeSetUserHandle
    version.dllGetFileVersionInfoSizeW
    oleaut32.dllSafeArrayPutElement
    advapi32.dllRegSetValueExW
    netapi32.dllNetWkstaGetInfo
    msvcrt.dllmemcpy
    winhttp.dllWinHttpGetIEProxyConfigForCurrentUser
    kernel32.dllGetVersion, GetVersionExW
    SHFolder.dllSHGetFolderPathW
    wsock32.dllgethostbyaddr
    ole32.dllIsAccelerator
    gdi32.dllPie
    ntdll.dllRtlCompressBuffer

    Exports

    NameOrdinalAddress
    TMethodImplementationIntercept30x46a0b4
    __dbk_fcall_wrapper20x412460
    dbkFCallWrapperAddr10x935640
    el60p89r7qlkly4p9bfqh740x902598

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    PortugueseBrazil
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:21:30:11
    Start date:02/10/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\2.dll"
    Imagebase:0xb70000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:1
    Start time:21:30:11
    Start date:02/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff70f010000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:21:30:11
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2.dll",#1
    Imagebase:0xc50000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:21:30:11
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2.dll",#1
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:21:30:11
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\2.dll,TMethodImplementationIntercept
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:21:30:12
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 700
    Imagebase:0xe50000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:21:30:14
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\2.dll,__dbk_fcall_wrapper
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:21:30:17
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\2.dll,dbkFCallWrapperAddr
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:21:30:25
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2.dll",TMethodImplementationIntercept
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:13
    Start time:21:30:25
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2.dll",__dbk_fcall_wrapper
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:14
    Start time:21:30:25
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2.dll",dbkFCallWrapperAddr
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:15
    Start time:21:30:25
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\2.dll",el60p89r7qlkly4p9bfqh7
    Imagebase:0xdd0000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:18
    Start time:21:30:36
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 696
    Imagebase:0xe50000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:21:30:59
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 696
    Imagebase:0xe50000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:21:31:37
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 704
    Imagebase:0xe50000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:28
    Start time:21:31:48
    Start date:02/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 696
    Imagebase:0xe50000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Disassembly

    No disassembly