Windows Analysis Report
5.dll

Overview

General Information

Sample name: 5.dll
Analysis ID: 1524659
MD5: a1d3922228fcfb9b734d3d92213cf525
SHA1: 21834950d507117c0c9d9e4c42c76c1e5f41b61c
SHA256: b84bad0674108e09eb3c974e8ffbaf901e69ca2939dfe70527fb369fe2df831e
Tags: dllMekotiouser-Merlax_
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to query the security center for anti-virus and firewall products
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: 5.dll ReversingLabs: Detection: 34%
Source: 5.dll Virustotal: Detection: 36% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Uses 32bit PE files
Source: 5.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49764 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 104.20.3.235 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 208.109.246.134 5002 Jump to behavior
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49722 -> 208.109.246.134:5002
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/hQqNRrQt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/ZELZp1Yr HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic DNS traffic detected: DNS query: setember2024inf2.is-a-nurse.com
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 5.dll String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: Amcache.hve.25.dr String found in binary or memory: http://upx.sf.net
Source: 5.dll String found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: rundll32.exe, 0000000A.00000002.3087009066.00000000063C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3072215647.0000000004E83000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000005093000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2998925851.0000000006810000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.3138224365.0000000006800000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004813000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005D50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004CC3000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3052031087.0000000006300000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2846831139.0000000006630000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2660141145.00000000066F0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3064367145.0000000006480000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004DF3000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 0000000A.00000002.3072215647.00000000049C1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000B.00000002.2944562994.0000000004BD1000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 0000000D.00000002.3748461723.0000000004351000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000012.00000002.3038519715.0000000004801000.00000020.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.3044055558.0000000004931000.00000020.00000001.01000000.00000004.sdmp, 5.dll String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com//
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/5
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/5$
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/5_
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/5e
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/I
Source: rundll32.exe, 0000000D.00000003.3721963112.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000690C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3488118098.000000000690C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/L
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/V
Source: rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/X
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/_
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/i
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1Yr
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1YrEM$-
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1YrHu
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DF1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1YrI%
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1YrILE_X
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1YrQu
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1Yrl
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/ZELZp1Yrrt
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/hQqNRrQt
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/hQqNRrQt40
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/hQqNRrQt:u
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/hQqNRrQtHu
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3751406101.0000000005DE3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setember2024inf2.is-a-nurse.com:50
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005D6D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setember2024inf2.is-a-nurse.com:5002/02
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setember2024inf2.is-a-nurse.com:50K5
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49764 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 5.dll Static PE information: section name: .IiZ_A$8
Source: 5.dll Static PE information: section name: bO\=]JeA
Source: 5.dll Static PE information: section name: >9P5ZP$
Source: 5.dll Static PE information: section name: \(SnMqUq
Source: 5.dll Static PE information: section name: cKc<oclJ
Source: 5.dll Static PE information: section name: L2(#1D;
Source: 5.dll Static PE information: section name: PC2X@$2+
Source: 5.dll Static PE information: section name: ]8;-`=q(
Source: 5.dll Static PE information: section name: Rjm*8iMX
Source: 5.dll Static PE information: section name: pCck@0(<
Source: 5.dll Static PE information: section name: M;H3Mr
Source: 5.dll Static PE information: section name: U(#)2R<D
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704
PE file contains more sections than normal
Source: 5.dll Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: 5.dll Binary or memory string: OriginalFileName vs 5.dll
Uses 32bit PE files
Source: 5.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engine Classification label: mal92.troj.evad.winDLL@24/18@2/2
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\Desktop\rundll32.txt Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8004
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7432
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7396
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7972
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\57dad3d0-12c3-4d73-a23e-ef86eb4ddec3 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept
Source: 5.dll ReversingLabs: Detection: 34%
Source: 5.dll Virustotal: Detection: 36%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 704
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 712
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 696
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 696
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,azo06olt3gs7uifwf18b8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",azo06olt3gs7uifwf18b8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",dbkFCallWrapperAddr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 5.dll Static file information: File size 26549367 > 1048576
Source: 5.dll Static PE information: Raw size of .IiZ_A$8 is bigger than: 0x100000 < 0x4c3e00
Source: 5.dll Static PE information: Raw size of ]8;-`=q( is bigger than: 0x100000 < 0xa19400
Source: 5.dll Static PE information: Raw size of pCck@0(< is bigger than: 0x100000 < 0x9bfc00
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: pCck@0(<
PE file contains sections with non-standard names
Source: 5.dll Static PE information: section name: .IiZ_A$8
Source: 5.dll Static PE information: section name: bO\=]JeA
Source: 5.dll Static PE information: section name: >9P5ZP$
Source: 5.dll Static PE information: section name: \(SnMqUq
Source: 5.dll Static PE information: section name: cKc<oclJ
Source: 5.dll Static PE information: section name: L2(#1D;
Source: 5.dll Static PE information: section name: 1eWe9Dpo
Source: 5.dll Static PE information: section name: PC2X@$2+
Source: 5.dll Static PE information: section name: ]8;-`=q(
Source: 5.dll Static PE information: section name: Rjm*8iMX
Source: 5.dll Static PE information: section name: pCck@0(<
Source: 5.dll Static PE information: section name: M;H3Mr
Source: 5.dll Static PE information: section name: U(#)2R<D

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 7280 base: 690007 value: E9 EB DF 01 77 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 7280 base: 776ADFF0 value: E9 1E 20 FE 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7396 base: 2F30007 value: E9 EB DF 77 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7396 base: 776ADFF0 value: E9 1E 20 88 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7432 base: 3240007 value: E9 EB DF 46 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7432 base: 776ADFF0 value: E9 1E 20 B9 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7500 base: 6520007 value: E9 EB DF 18 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7500 base: 776ADFF0 value: E9 1E 20 E7 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7540 base: 7A0007 value: E9 EB DF F0 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7540 base: 776ADFF0 value: E9 1E 20 0F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7972 base: 2960007 value: E9 EB DF D4 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7972 base: 776ADFF0 value: E9 1E 20 2B 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7980 base: 2F80007 value: E9 EB DF 72 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7980 base: 776ADFF0 value: E9 1E 20 8D 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7992 base: 30D0007 value: E9 EB DF 5D 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7992 base: 776ADFF0 value: E9 1E 20 A2 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8004 base: 48B0007 value: E9 EB DF DF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 8004 base: 776ADFF0 value: E9 1E 20 20 8D Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 248EB86
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 24F46DB
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 237C62C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 1C541B5
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 23C379C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 23C6D08
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 25E4462
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 238337D
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 1EF2BE5
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 1E985DF
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 23B209D
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 1CE8206
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exe Special instruction interceptor: First address: 1DC139B instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 756 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7544 Thread sleep count: 756 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7544 Thread sleep time: -75600s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5448 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6640 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select SerialNumber from Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.25.dr Binary or memory string: VMware
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000D.00000003.3488254082.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3752582020.000000000692E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.3514890180.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.25.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 0000000D.00000002.3747588655.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW*
Source: Amcache.hve.25.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.25.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.25.dr Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 104.20.3.235 443 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 208.109.246.134 5002 Jump to behavior
Contains functionality to query the security center for anti-virus and firewall products
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rwinmgmts:\\localhost\root\securitycenter2 memstr_19a0f948-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a\local memstr_1d831842-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: logonserver=\\user-p memstr_bff6a393-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a\locallogonserver=\\user-p memstr_8b21e795-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ommon files\oracle\java\java memstr_ace6334a-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (x8ommon files\oracle\java\java memstr_7f50c023-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qrshe memstr_04a9194a-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ata\loca memstr_609bce41-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pathext=.com;.exe;.bat;.cmd;.vbs;.v memstr_10e22c80-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pps;pathext=.com;.exe;.bat;.cmd;.vbs;.v memstr_5bdd49f4-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: js;.jse; memstr_50b9e54e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =amd64 memstr_4debbb41-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =amd64p memstr_82b2c49c-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l64 fami memstr_610e9a25-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntifl64 fami8 memstr_a066ff26-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uing memstr_20653d1b-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramfile memstr_d9c5124e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gram9 memstr_ed8dc555-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramfilegram9 memstr_aaac654f-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ndows memstr_9d4d6ab6-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps; memstr_3e97bae5-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \system32\window memstr_8f90662a-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{e7d35cfa-348b-485e-b524-252725d697ca}=c memstr_03a82e04-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;q memstr_92a7d350-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{e7d35cfa-348b-485e-b524-252725d697ca}oh memstr_fed12d10-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `7tcc memstr_cb26a4d9-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\wt memstr_b91e040f-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: decdx memstr_2f8a6cc1-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wbem\wbemsvc.dlllm memstr_9ca56034-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wbem\fastprox.dlll9* memstr_cc7693fe-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\winhttpcom.dllll&* memstr_47412e98-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cross-certificate distribution pointss* memstr_3d944714-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bhttps://pastebin.com/raw/zelzp1yrile_x* memstr_91d89cc5-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processor_identifier=intel64 family 6 model 143 stepping 8, genuineintel memstr_89730872-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processor_identifier=intel64 family 6 model 143 stepping 8, genuineintelr* memstr_0eb8fb49-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /raw/zelzp1yrtem32\wbem\wbemsvc.dlllt memstr_e7071f19-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wbem\wbemdisp.dlll memstr_bab3666b-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows hardware driver verification memstr_e2f3ca36-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\mskeyprotect.dllll memstr_d800a7a9-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows system component verification memstr_8786227c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wbem\fastprox.dlll memstr_a7ae35fa-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bhttps://pastebin.com/raw/zelzp1yrl memstr_2dc54b05-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: winhttprequest component version 5.1l memstr_66fd5ab5-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wbem\wbemsvc.dllli!+ memstr_df61b246-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 70c50a17-5fb4-415f-b976-2ce9ec638440ubl[+ memstr_673c346f-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: protected process light verificationm+ memstr_b3a84235-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: attestation identity key certificate memstr_2e4821d4-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows software extension verification memstr_8c80f1a1-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endorsement key certificate verified memstr_3cfab30e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dnsresolver memstr_19f98763-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: epmapper memstr_f3ad9ff8-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 68fd1 memstr_82cb5964-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kerberos68fd1 memstr_4da8b28d-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: systemroot=c:\windows memstr_8c038851-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: epmapper7, memstr_140d0a4d-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: epmapper#, memstr_7d2f400e-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: credssp.dll+, memstr_34be19f2-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft kerberos v1.0 memstr_516f2f23-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft kerberos v1.0/, memstr_e3305c98-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: userdomain=brok-pc memstr_67ce645b-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: userdomain=user-pc[, memstr_5ba1ad2c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: epmapperllk, memstr_4222ce8a-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntlm security package memstr_cd2a9790-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntlm security packageo, memstr_58f2c007-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: schannelw, memstr_98c75aa1-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windir=c:\windows memstr_fcce4a3e-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windir=c:\windows{, memstr_ee9ba5eb-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negotiate memstr_ece220eb-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dnsresolverc,g memstr_1870bbe3-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pku2u security package memstr_0f023a42-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pku2u security packageg,c memstr_bb74bd96-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctl usagek,o memstr_ca6304df-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: common name memstr_e4c54207-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: locality memstr_23f4f046-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ca version memstr_f96d9a1e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cmc data memstr_ad6418c5-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pkcs 7 data memstr_c83b27ad-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: initials memstr_1b66a109-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg info memstr_9a86779b-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: logotype memstr_1313b5ce-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crl number memstr_a63be9da-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: user notice memstr_f06a8887-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: biometric memstr_689fcb05-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: key usage memstr_aaddf58f-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sct list memstr_9f29bdc1-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: given name memstr_01586521-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: any purpose memstr_99225deb-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: os version memstr_bdac8f68-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: connection memstr_6e8d75f3-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: keep-alive memstr_158fb61d-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: connectionkeep-alive memstr_14ded5dc-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p$p!pt memstr_0eba555c-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fl@bx memstr_83f4ada5-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gssapijvm memstr_7bdcb507-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.3.14.3.2.7 memstr_5c374fb0-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.3.14.3.2.7- memstr_60bd5c2b-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: essreceiptdecodeex memstr_f466cc5b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #p*6- memstr_c0e273cd-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: https://pastebin.com/raw/zelzp1yr memstr_bc784002-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: https://pastebin.com/raw/zelzp1yrem$- memstr_06ca438b-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p$p!p memstr_eb5f831a-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5w0@} memstr_d825879c-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4tl-i memstr_036c8398-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: userdomain_roamingprofile=brok-pc memstr_219b361f-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: digest authentication for windows memstr_ed7ab3a5-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (assm memstr_328658ed-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enhanced key usage memstr_b658f133-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: unstructured name memstr_fb2955b9-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: basic constraints memstr_b581eb10-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: challenge password memstr_cf1f9368-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: essmlhistorydecodeex memstr_26364ba1-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: smime capabilities memstr_c015e8c4-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: prefer signed data memstr_4b28ba64-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esscontenthintdecodeex memstr_d8bb5dca-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{1b1cad8c-2dab-11d2-b604-00104b703efd}( memstr_69e5e325-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6} memstr_602fbc6c-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{1b1cad8c-2dab-11d2-b604-00104b703efd} memstr_7efad745-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsa1 memstr_cabfe656-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #\'g7 memstr_cfdbe7f3-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{275c23e2-3747-11d0-9fea-00aa003f8646} memstr_6808c0d1-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsa1p memstr_9f4ce902-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{2087c2f4-2cef-4953-a8ab-66779b670495} memstr_d4389d4b-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^j^@m memstr_57c7b43c-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g/ 6,& memstr_7e5c4682-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}x memstr_f032e9f2-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\inetcomm.dll+ memstr_7c00c10e-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.132.0.33 memstr_39788172-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.132.0.33nistp224ecdhcryptoidinfoeccparameters memstr_c1a30eb4-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @eckp memstr_4db7b400-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.132.0.34 memstr_54256d36-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.132.0.34nistp384ecdhcryptoidinfoeccparameters memstr_d65a8e3c-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t&v|t&v memstr_7b01fa51-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\negoexts.dll memstr_83224196-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\kerberos.dll memstr_a75296f7-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\schannel.dll memstr_e11f90b1-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft credssp security provider memstr_ca9e2e79-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dasyc memstr_8d8b36e4-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\schannel.dll/! memstr_3465275b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\ncryptsslp.dll memstr_c89139ad-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: security=impersonation dynamic truew! memstr_853dc36f-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\wdigest.dll memstr_16ad0757-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\winhttpcom.dll memstr_705201dc-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: security=impersonation dynamic true memstr_a7db0434-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $p!pt memstr_ee3ff1b4-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64\winnlsres.dll memstr_729c356c-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: security=impersonation dynamic true?" memstr_ff10fbb9-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qualified certificate statements%" memstr_6f444abd-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\cryptbase.dlldy" memstr_5fb47d83-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.6.1.4.1.311.80.1 memstr_971d86bb-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.3.6.1.4.1.311.80.1document encryptiong" memstr_ef6a0829-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: early launch anti-malware driverm" memstr_89177ac1-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enforce certificate chain policya"m memstr_7f6913d6-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: directory service email replication memstr_f39be502-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: serialised signature serial number memstr_9b6faf01-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate template information memstr_c3295f0e-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: on-line certificate status protocol memstr_b7f79506-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lmemh memstr_4c41f584-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0u0u&# memstr_d9566a6d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tls-server-end-point:h memstr_2cd1a9ea-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5 tls-server-end-point:h memstr_14ab90fe-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft root certificate authority 2010 memstr_041ef0e8-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: oem windows system component verification memstr_b9f9a3ea-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows third-party application component memstr_2d083665-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0u0u6$ memstr_c9f6801c-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft root certificate authority 2011f$ memstr_65c7e3cd-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lmemhp memstr_62e2188b-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rok-pc memstr_e9d68c9a-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 192.168.2.10 memstr_a582db0e-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :3yor4 memstr_6df97f95-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dx!pp memstr_ce5f65be-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a132c1acf46} memstr_51cc0ed7-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windowsdefender:// memstr_85ce94dd-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %programfiles%\windows defende memstr_a9128bd6-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a132c1acf46}windowsdefender://%programfiles%\windows defende memstr_9669ca08-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hu, 05 oct 2023 09:37:28 gmt memstr_cca6b2f7-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hu, 05 oct 2023 09:37:28 gmt` memstr_02a5f5b3-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: brok-pc memstr_97085305-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: root\securitycenter2 memstr_156dc2dd-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: user-pcroot\securitycenter2= memstr_eb0abf7e-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproduct memstr_ef49f4fa-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: displayname memstr_efe685ff-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproductdisplayname memstr_56680750-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: string memstr_1448742b-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: not_null memstr_2ab72a52-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: instanceguid memstr_05bb8952-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringnot_nullinstanceguid memstr_cd7536d7-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pathtosignedproductexe memstr_c88ffbb3-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringnot_nullpathtosignedproductexe memstr_25631177-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pathtosignedreportingexe memstr_8705f1ad-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringnot_nullpathtosignedreportingexe memstr_d0bdd958-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: productstate memstr_e5fa0c38-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringnot_nullproductstate memstr_b809e693-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32 memstr_66bca0a1-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: timestamp memstr_b92e0e7b-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32not_nulltimestamp memstr_59b15461-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pk9wr memstr_ed65c38d-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: user-pcroot\securitycenter2 memstr_13f81d33-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows defender memstr_4f0e69cf-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {d68ddc3a-831f-4fae-9e44-da132c1acf46} memstr_5be391a7-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %programfiles%\windows defender\msmpeng.exe memstr_b4c31cd5-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: thu, 05 oct 2023 09:37:28 gmt memstr_d30c2bdb-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproductwindows defender{d68ddc3a-831f-4fae-9e44-da132c1acf46}windowsdefender://%programfiles%\windows defender\msmpeng.exethu, 05 oct 2023 09:37:28 gmt5 memstr_5006492f-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.com memstr_dd5ce44a-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negoextender security package memstr_724d2033-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negoextender security package2 memstr_0759e54e-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: default tls ssp5 memstr_9e637ec8-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pstebin.c& memstr_92a82eb8-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negoextender) memstr_31aa2b0d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: schannel security package memstr_40899b3b-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: schannel security package@ memstr_b61f6d94-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: schannel security packageq memstr_9a939cf3-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pstebin.ct memstr_623f2c45-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pstebin.c memstr_da504be8-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.comb memstr_dd39c804-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ts service security package memstr_b6c9c0b9-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft package negotiator memstr_b26991d9-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: swbemsecurity memstr_bead7e6c-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \llb+ memstr_9dfc8f51-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckm memstr_3748e8e5-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.comnt:h memstr_922a5cb4-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *.pastebin.comw memstr_5c36ee84-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows hardware driver attested verification memstr_d9f535d5-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\ondemandconnroutehelper.dll memstr_5a413f61-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows hardware driver extended verification memstr_0a071901-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tls-server-end-point memstr_2c9d1c62-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckm5 tls-server-end-point memstr_ccd4172d-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: embedded windows system component verificationq memstr_1d252866-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft unified security protocol provider memstr_559bb6fd-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckmr memstr_01c6f92d-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckmrogramdataprogr memstr_76d0a1a0-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckmt memstr_26ec93ea-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v ckmtem32\ondemandco memstr_9d2aeb85-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s (x86)\autoit3\autoitxpublic=c:\users\publics memstr_542589d1-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: onname=consolesystemdrive=c:systemroot=c:\wind memstr_b6442982-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: temp=c:\users\user\appdata\local\temptmp=c:\use memstr_c8ceea90-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rok\appdata\local\tempuserdomain=user-pcuserdo memstr_6a25aeaa-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _roamingprofile=brok-pcusername=brokuserprofil memstr_c2cccfbb-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \users\userwindir=c:\windows memstr_dcd7554c-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >c:\windows\syswow64\stdole2.tlb memstr_d8af34a3-2
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $"#|7 memstr_2929c3c5-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &")@: memstr_9ee5b3ec-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ('nf. memstr_5cc012d2-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bbh#0 memstr_643ebecd-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inetzzzz memstr_85de74ca-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.4 memstr_9585ee0e-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.4x962p239v1ecdsacryptoidinfoeccparameters memstr_52d6ae1a-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.6 memstr_036866ac-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.6x962p239v3ecdhcryptoidinfoeccparameters memstr_090ac6d6-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: text/plain; charset=utf-8 memstr_c736be37-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: software\policies\microsoft\systemcertificates\trustedpeople memstr_ec27982f-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: software\policies\microsoft\systemcertificates\trustedpeople8 memstr_88a9214d-1
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7 memstr_721b9454-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdhcryptoidinfoeccparameters memstr_a23c090e-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @6og^ memstr_a83d035f-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.5 memstr_1b22bb0a-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.5x962p239v2ecdhcryptoidinfoeccparameters memstr_40b9e8cf-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdsacryptoidinfoeccparameters memstr_ba24fe87-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {cwxi memstr_b0801f57-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =u@l=u memstr_26a35f78-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >ups=u memstr_48332a50-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 70c50a17-5fb4-415f-b976-2ce9ec638440 memstr_c7e53da5-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lmemp memstr_7b1da943-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %70c50a17-5fb4-415f-b976-2ce9ec638440lmemp memstr_40de1fab-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.5x962p239v2ecdsacryptoidinfoeccparameters memstr_f2604683-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.6x962p239v3ecdsacryptoidinfoeccparameters memstr_b52e80b1-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /raw/zelzp1yr memstr_dc83cfb3-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.4x962p239v1ecdhcryptoidinfoeccparameters memstr_4126a1ec-6
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.2 memstr_f2bd07c5-d
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.2x962p192v2ecdsacryptoidinfoeccparameters memstr_55a282bc-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.2x962p192v2ecdhcryptoidinfoeccparameters memstr_d5a29685-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.3 memstr_f107520f-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.3x962p192v3ecdsacryptoidinfoeccparameters memstr_1a04f18b-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.3x962p192v3ecdhcryptoidinfoeccparameters memstr_968bac5e-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7secp256r1ecdsacryptoidinfoeccparameters memstr_58fc9d86-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\c:\windows\system32\tenantrestrictionsplugin.dllbt8 memstr_eabf61c0-b
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\ondemandconnroutehelper.dll8 memstr_10fc2aa5-0
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.156.11235.1.1.2.1 memstr_b8f704d7-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.156.11235.1.1.2.1ec192wapiecdhcryptoidinfoeccparameters memstr_406b5afb-7
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1 memstr_f3c36c11-f
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1nistp192ecdsacryptoidinfoeccparameters memstr_85c7eab1-9
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7nistp256ecdsacryptoidinfoeccparameters memstr_cb7fc82c-e
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1secp192r1ecdhcryptoidinfoeccparameters memstr_bb4998e5-3
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.156.11235.1.1.2.1ec192wapiecdsacryptoidinfoeccparameters memstr_82ed4805-a
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.7secp256r1ecdhcryptoidinfoeccparameters memstr_1d50c123-5
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tenantrestrictions\payloadbt8 memstr_927669aa-8
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1secp192r1ecdsacryptoidinfoeccparameters memstr_6f03712c-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1x962p192v1ecdsacryptoidinfoeccparameters memstr_32dfbe24-c
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.10045.3.1.1x962p192v1ecdhcryptoidinfoeccparameters memstr_d3a87994-4
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^^^xouwp4joea0uwbbqifen2y6kmcomqx3gsobg+ewj59fczm00xe/zsgseynm9xft337ppyc65ks+h4crcbigamw==^^^fujbvxtx9qsh7faaacluna==^^^07--02-09^^^3c17xxdct27c2ufsnrpcfq==^^^mrs78u/k4/2ats2gwfcze7gmqsrqbswqdcva5qz/o45eznfvpzmsbrbur7jkqgddperboybgpav8vc8rvyk/xw==^^^ypwz9zmytqxntfhfseklka==^^^ memstr_88ec19dc-3
Source: rundll32.exe, 0000000D.00000003.2070990427.00000000007E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *~y\user\s-1-5-21-2246122658-3693405117-2476756634-1003\control panel\international\user profile memstr_97b2fe69-7
Source: rundll32.exe, 0000000D.00000003.3425372897.0000000002961000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \registry\machine\software\classes\wow6432node\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495}\registry\machine\software\classes\wow6432node\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495},gk memstr_ca6bbca0-c
Source: rundll32.exe, 0000000D.00000003.3425372897.0000000002961000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~ ^~y\machine\software\classes\clsid\{2087c2f4-2cef-4953-a8ab-66779b670495} memstr_1146bf1d-f
Source: rundll32.exe, 0000000D.00000003.3413242093.0000000002961000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~ ^~y\machine\system\currentcontrolset\services\winsock2\parameters memstr_fb84e765-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qqqqqqqqqqqqqqqq memstr_c26e0d16-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qqqqqqqqqqqqqqqqm memstr_10d2cffc-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dasyc memstr_7e948b1a-c
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ncalrpc memstr_9adc0842-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negotiate memstr_3a63573b-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pku2u memstr_0af37bb0-8
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wdigest memstr_1d962a4e-a
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: schannel memstr_f76f4c2e-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: negoextender memstr_2dac8198-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tsssp memstr_f54170ae-8
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: default tls ssp memstr_45e98401-6
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: credssp memstr_e845f07c-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kerberos memstr_0bde82b4-4
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: asych memstr_b13e49ce-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 647wl memstr_e930927a-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pvcwm memstr_e9719dee-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ncryptsslp.dll memstr_1d0c57cf-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.2.840.113549.1.1.1 memstr_7edbfae4-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ytr[^f"ghk memstr_cc2c806a-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.2.840.113549.3.7 memstr_743e74c8-3
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-ee37db743722568fd1 memstr_c501b36b-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.2.840.113549.3.2 memstr_b39e06b3-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aw1.2.840.113549.3.4 memstr_f51e9c11-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft kerberos v1.0 memstr_45781225-9
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.1.1 memstr_4101ddb4-2
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.1 memstr_74be64c0-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ytr[^f"ghk3 memstr_9ddc89b7-7
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft unified security protocol provider memstr_76addd71-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft unified security protocol provider4 memstr_3012f0e3-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-0f0f983ddda573ee35= memstr_8c79a48e-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: essreceiptrequestdecodeex memstr_682a4ceb-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: essreceiptrequestdecodeex& memstr_d8a5b6bf-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.11 memstr_e32149cf-1
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.11/ memstr_ad4e4635-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esskeyexchpreferencedecodeex memstr_ddec28ba-9
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esskeyexchpreferencedecodeexp memstr_4fbe07ec-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.12 memstr_46f488e6-c
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.12y memstr_efaca911-6
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-0f0f983ddda573ee35b memstr_f84ccd2c-e
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntlm security packagek memstr_b8682e6c-2
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: https://pastebin.com/l memstr_c4701543-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pku2u security packageg memstr_acf1ccef-f
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-0f0f983ddda573ee35h memstr_7460d65f-d
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-ee37db743722568fd1o memstr_b7a14dd9-b
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: asyc8 memstr_3bf3d5d5-5
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dasyc`f memstr_236b930c-0
Source: rundll32.exe, 0000000D.00000003.3514890180.000000000690C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pvcw/ memstr_c43be21e-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 25vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5! memstr_7e11e0a5-e
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: trolh memstr_153a8ed9-8
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: tls_ecdhe_rsa_with_aes_256_gcm_sha384aes memstr_72143dd4-3
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: jud{hw memstr_fdf79e50-6
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: agl`y memstr_0cc28ee3-6
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: cw@hrwp memstr_f17613be-c
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: `_u0u memstr_7f766a69-8
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: pvcw0 memstr_fd0a1c71-9
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: d`cw\ memstr_ce2f2006-0
Source: rundll32.exe, 0000000D.00000002.3753630706.000000000BC6E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: x0x0b memstr_ad12df03-d
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: t t` memstr_00f43e10-7
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \??\c:\windows\syswow64\wtsapi32.dll32.dll\??\c:\windows\system32\wtsapi32.dll memstr_eff6b931-e
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ggw##xx memstr_ecb7100e-b
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ppgwh memstr_e13733cb-1
Source: rundll32.exe, 0000000D.00000002.3752310026.000000000627E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: +s++h memstr_03d539f4-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: feature not implemented memstr_8dd60dad-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: object lock not owned memstr_751c156c-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: interface not supported memstr_4f0ebf5f-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: external exception %x memstr_adbada81-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: privileged instruction memstr_88dc91fc-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: invalid class typecast memstr_46684ab2-e
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: floating point overflow memstr_40cb4441-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: invalid numeric input memstr_38935440-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: read beyond end of file memstr_8bc7a28a-b
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: invalid time string: %s memstr_a73431f4-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: invalid date string: %s memstr_54762c43-e
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: resolving hostname %s. memstr_d94890ad-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dwm notification window memstr_b4771ab8-5
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: new tab - google chrome memstr_7a8a72a6-1
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: new tab - google chrome! memstr_4280eb36-8
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: new tab - google chromea memstr_beab8f62-f
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: native.streamtoblockme memstr_b06f54d8-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: native.streamtoblockme! memstr_cf4b3d6f-7
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: azo06olt3gs7uifwf18b8 memstr_156daad5-d
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 50qgc5tvgwgctir3mczekrt304i8hneonhc+2qzfpz8= memstr_dc9545ea-a
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ,50qgc5tvgwgctir3mczekrt304i8hneonhc+2qzfpz8= memstr_2220e38c-9
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: https://setember2024inf2.is-a-nurse.com:50 memstr_958c75a8-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: *https://setember2024inf2.is-a-nurse.com:50k5! memstr_7225ef01-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 5vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5 memstr_d28e588c-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 25vanv4sdmc3veafr8s2m3m9u6wrh3p7fdd9t9q10iag5wzj5k5a memstr_b7619fa4-6
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: c:\users\user\desktopk5 memstr_2878dc14-4
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: c:\users\user\desktop\! memstr_b2bac179-8
Source: rundll32.exe, 0000000D.00000002.3751406101.0000000005DDC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: nd\bds memstr_7b8215e9-6
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.compastebin.com memstr_4b79776f-9
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mozilla/4.0 (compatible; win32; winhttp.winhttprequest.5) memstr_23398732-b
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: keep-alive memstr_34d0c07b-e
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: */*mozilla/4.0 (compatible; win32; winhttp.winhttprequest.5)keep-alive memstr_92f7bd35-1
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: in; charset=utf-8 memstr_526fa3a6-5
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: in; charset=utf-8conl memstr_f7c7145d-0
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpcx memstr_a62aaf7b-8
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0_ollm memstr_8425cb5f-e
Source: rundll32.exe, 0000000D.00000003.3514738682.0000000006985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hresq memstr_98923b09-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [tcp/ip]2\mswsock.dll,-60100 memstr_4f9948cb-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [udp/ip]2\mswsock.dll,-60101 memstr_de702699-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [raw/ip]2\mswsock.dll,-60102f memstr_bd2195c0-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [tcp/ipv6]mswsock.dll,-60200 memstr_f32ecc3b-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [udp/ipv6]mswsock.dll,-60201 memstr_316dcec9-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [raw/ipv6]mswsock.dll,-60202& memstr_9a7c989b-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: af_unixf memstr_030d29ed-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcpv6 service providers.dll,-100f memstr_f80ddfb0-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcp service providerqos.dll,-101& memstr_80cb4d95-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udpv6 service providers.dll,-102& memstr_c18b3796-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udp service providerqos.dll,-103& memstr_8a39f911-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hyper-v raw memstr_0c272d90-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd l2cap [bluetooth]& memstr_cf50e865-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd rfcomm [bluetooth]o memstr_74bd4312-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [tcp/ip]/ memstr_8f54d2bc-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dasyc memstr_5f2e1b0e-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uompasl( memstr_8f26a87c-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: af_unixg memstr_e518e199-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wbg`|m memstr_f25fab66-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j8x+dh; memstr_a46e7160-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wi-]{ memstr_5d65779d-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tz}qe memstr_b2266015-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #ko0~ memstr_b6364416-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.compastebin.com memstr_133c4049-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udpv6 service provider$ memstr_2d6de512-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcp service providerk memstr_a5ac6be2-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [udp/ipv6] memstr_e784e412-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd l2cap [bluetooth] memstr_61c865b3-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd rfcomm [bluetooth]( memstr_76aaa779-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: simsun-extb memstr_c3a2fd8a-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: simsun-extbo memstr_78c22206-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcpv6 service provider memstr_0346caf6-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udp service provider memstr_085d6704-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.compastebin.com, memstr_dbaee5b6-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [raw/ipv6]/ memstr_8bbaad9e-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: accept memstr_0bbe9719-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: accept*/*omh memstr_b3cbdd8c-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ncalrpc memstr_b1b767af-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: accept*/* memstr_54e768d7-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: california1 memstr_b7ff0a61-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: san francisco1*0( memstr_982e00a2-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !the universe security company ltd1*0( memstr_48205877-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !the universe security company ltd0 memstr_596d600d-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 241002013438z memstr_e21b59e6-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 251002013438z0 memstr_b774c345-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.com0 memstr_9d447da8-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &,6 /g memstr_31037eed-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m@^j^ memstr_8393cdac-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !the universe security company ltd memstr_2997790c-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pastebin.com memstr_a2b29e9a-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *.pastebin.com0 memstr_9f18084d-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.2 memstr_2fbb9343-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.1.1 memstr_8f9bc88e-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.1.5 memstr_0072c8a0-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate manifold memstr_fca08148-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape revocation url memstr_cb469cf9-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: unsigned cmc request memstr_3fe39cae-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pkcs 7 signed enveloped memstr_9fa4c3ab-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: subject key identifier memstr_cbb29f30-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esssecuritylabeldecodeex memstr_faeffcc3-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: issuer alternative name memstr_95d4465e-9
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: key usage restriction memstr_4ba78f84-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esssigncertificatedecodeex memstr_25a4a619-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate policies memstr_17637605-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate extensions memstr_a3b80770-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: virtual base crl number memstr_a4e1ae8f-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate extensions6 memstr_b58a5bcf-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: private key archival? memstr_8f290991-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: published crl locations memstr_3291a50f-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.1.11 memstr_a4b82bdd-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.1.11) memstr_3b631a0a-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spcfinancialcriteriar memstr_639c01e5-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: encrypted private key[ memstr_47c47618-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crl distribution points\ memstr_c30216d7-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape ssl servernamee memstr_7d2821ce-b
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows product updaten memstr_a33dfe66-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.4 memstr_f791f60c-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.4w memstr_88daf740-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.3 memstr_56292c79-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1.2.840.113549.1.9.16.2.3x memstr_1e57e876-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: next update locationa memstr_4b872615-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: unstructured addressj memstr_1def0fc2-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape ca policy url memstr_1b92544d-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: application policies memstr_8a521595-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: supported algorithms memstr_c16f4f63-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tpm security assertions memstr_67bf7eb1-8
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: certificate trust list0 memstr_1e3e764f-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: root program flags memstr_4172785a-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: domain component memstr_8e0d4117-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spcminimalcriteria memstr_92207a77-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: client information memstr_361d11d5-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: name constraints memstr_e73b0e65-6
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: jurisdiction hash memstr_12a50543-e
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: next crl publish memstr_1c495ece-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: organisational unit memstr_e8a42b0a-2
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cross ca version memstr_36d13666-3
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape cert type memstr_d6a42c4d-5
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: policy constraints memstr_6a66cb39-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: delta crl indicator memstr_4d4b70ef-d
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pkcs 7 enveloped memstr_8e495262-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: key recovery agent memstr_b7f4c426-f
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape base url memstr_fedcb8c9-4
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enterprise root oid memstr_98530f71-a
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inhibit any policy memstr_905ad34c-c
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pkcs 7 encrypted memstr_3b168acd-0
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: state or province memstr_1c72d012-1
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netscape comment memstr_04bcc8b3-7
Source: rundll32.exe, 0000000D.00000003.3722392095.000000000692E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: quuu@ memstr_5da8e816-0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5.dll",#1 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.25.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 0000000D.00000002.3752582020.00000000068F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524659 Sample: 5.dll Startdate: 03/10/2024 Architecture: WINDOWS Score: 92 33 pastebin.com 2->33 35 setember2024inf2.is-a-nurse.com 2->35 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 PE file contains section with special chars 2->45 47 AI detected suspicious sample 2->47 9 loaddll32.exe 1 2->9         started        signatures3 49 Connects to a pastebin service (likely for C&C) 33->49 process4 signatures5 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->55 57 Tries to evade analysis by execution special instruction (VM detection) 9->57 59 Hides threads from debuggers 9->59 61 Switches to a custom stack to bypass stack traces 9->61 12 rundll32.exe 1 9->12         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 9->18         started        20 6 other processes 9->20 process6 dnsIp7 37 pastebin.com 104.20.3.235, 443, 49723, 49724 CLOUDFLARENETUS United States 12->37 39 setember2024inf2.is-a-nurse.com 208.109.246.134, 49722, 5002 AS-26496-GO-DADDY-COM-LLCUS United States 12->39 63 System process connects to network (likely due to code injection or exploit) 12->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->65 67 Hides threads from debuggers 12->67 22 rundll32.exe 16->22         started        25 WerFault.exe 3 16 18->25         started        27 WerFault.exe 16 20->27         started        29 WerFault.exe 2 16 20->29         started        signatures8 process9 signatures10 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->51 53 Hides threads from debuggers 22->53 31 WerFault.exe 20 16 22->31         started        process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.3.235
 pastebin.com United States
13335 CLOUDFLARENETUS true
208.109.246.134
 setember2024inf2.is-a-nurse.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
setember2024inf2.is-a-nurse.com 208.109.246.134 true
pastebin.com 104.20.3.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pastebin.com/raw/hQqNRrQt true
    		unknown
    https://pastebin.com/raw/ZELZp1Yr true
      		unknown