Windows Analysis Report
Register.dll

Overview

General Information

Sample name: Register.dll
Analysis ID: 1531071
MD5: 40b9628354ef4e6ef3c87934575545f4
SHA1: 8fb5da182dea64c842953bf72fc573a74adaa155
SHA256: 372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
Infos:

Detection

Score: 30
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Contains functionality to infect the boot sector
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: Register.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: Register.dll Static PE information: certificate valid
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040C904 FindFirstFileW,FindClose, 0_2_0040C904
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040CB84 FindFirstFileW,GetLastError, 0_2_0040CB84
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 0_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0040C904 FindFirstFileW,FindClose, 4_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0040CB84 FindFirstFileW,GetLastError, 4_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 4_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0424C904 FindFirstFileW,FindClose, 5_2_0424C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0424CB84 FindFirstFileW,GetLastError, 5_2_0424CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04247618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 5_2_04247618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0040C904 FindFirstFileW,FindClose, 12_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0040CB84 FindFirstFileW,GetLastError, 12_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 12_2_00407618
Source: Register.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Register.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Register.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Register.dll String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Register.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Register.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Register.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Register.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Register.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Register.dll String found in binary or memory: http://ocsp.comodoca.com0
Source: Register.dll String found in binary or memory: http://ocsp.digicert.com0A
Source: Register.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: Register.dll String found in binary or memory: http://ocsp.digicert.com0X
Source: Register.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: Register.dll String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Register.dll String found in binary or memory: http://s.symcd.com06
Source: Register.dll String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Register.dll String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Register.dll String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 0000000C.00000002.2175465696.0000000004DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2174956438.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2152369580.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.2151719950.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2231857074.0000000000841000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2232862653.00000000043FC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2234195644.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2233135991.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2182403949.000000000481C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2194313102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2198822456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000003.2183923148.0000000004E9C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2197564894.00000000043D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000003.2184355496.00000000045AC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2231464418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2233446732.0000000004CCC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2190485197.0000000004241000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.2191711725.000000000445C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.2186408601.0000000004E0C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2203344145.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.indyproject.org/
Source: Register.dll String found in binary or memory: https://d.symcb.com/cps0%
Source: Register.dll String found in binary or memory: https://d.symcb.com/rpa0
Source: Register.dll String found in binary or memory: https://d.symcb.com/rpa0.
Source: Register.dll String found in binary or memory: https://sectigo.com/CPS0
Contains functionality to record screenshots
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0048A650 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 0_2_0048A650
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004B76AC GetKeyboardState, 0_2_004B76AC
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004C7378: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, 0_2_004C7378
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00470008 0_2_00470008
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D2020 0_2_004D2020
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004024C0 0_2_004024C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004764C8 0_2_004764C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0047C5B8 0_2_0047C5B8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D4700 0_2_004D4700
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00406D9C 0_2_00406D9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004C7378 0_2_004C7378
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0047540C 0_2_0047540C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004AB5D0 0_2_004AB5D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042F58C 0_2_0042F58C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00475660 0_2_00475660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00475914 0_2_00475914
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00499A24 0_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00470008 4_2_00470008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004D2020 4_2_004D2020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004024C0 4_2_004024C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004764C8 4_2_004764C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047C5B8 4_2_0047C5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004D4700 4_2_004D4700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00406D9C 4_2_00406D9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004C7378 4_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047540C 4_2_0047540C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004AB5D0 4_2_004AB5D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042F58C 4_2_0042F58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00475660 4_2_00475660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00475914 4_2_00475914
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00499A24 4_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042B64C8 5_2_042B64C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042424C0 5_2_042424C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042BC5B8 5_2_042BC5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04314700 5_2_04314700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042487F6 5_2_042487F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04312020 5_2_04312020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042B0008 5_2_042B0008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04246D9C 5_2_04246D9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04256908 5_2_04256908
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042B540C 5_2_042B540C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0426F58C 5_2_0426F58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042495DC 5_2_042495DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042EB5D0 5_2_042EB5D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042B5660 5_2_042B5660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04307378 5_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042B5914 5_2_042B5914
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042D9A24 5_2_042D9A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00470008 12_2_00470008
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004D2020 12_2_004D2020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004024C0 12_2_004024C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004764C8 12_2_004764C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0047C5B8 12_2_0047C5B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004D4700 12_2_004D4700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00406D9C 12_2_00406D9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004C7378 12_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0047540C 12_2_0047540C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004AB5D0 12_2_004AB5D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0042F58C 12_2_0042F58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00475660 12_2_00475660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00475914 12_2_00475914
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00499A24 12_2_00499A24
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00405B54 appears 111 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00405AB8 appears 75 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00405AC8 appears 40 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 0046242C appears 112 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00408A94 appears 84 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00405B1C appears 36 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00405F9C appears 61 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 004623EC appears 65 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00458E4C appears 31 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00404F5C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 042A242C appears 112 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04244F5C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405B54 appears 222 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04245B1C appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04245F9C appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405B1C appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405F9C appears 122 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04245AC8 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04245AB8 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04248A94 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 042A23EC appears 65 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04298E4C appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00408458 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405AB8 appears 150 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405AC8 appears 80 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00405AC0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0046242C appears 224 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00408A94 appears 168 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 004623EC appears 130 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04245B54 appears 111 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00458E4C appears 62 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00417508 appears 42 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00458C24 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00404F5C appears 96 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644
Uses 32bit PE files
Source: Register.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engine Classification label: sus30.winDLL@39/30@0/0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00488AAC GetLastError,FormatMessageW, 0_2_00488AAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040CF02 GetDiskFreeSpaceW, 0_2_0040CF02
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0048DEB0 CoCreateInstance, 0_2_0048DEB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004089F2 FreeResource, 0_2_004089F2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1280
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3392
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3944
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3708
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5696
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3e9b4938-9118-4a57-b64a-bc23af1c0044 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp
Source: loaddll32.exe String found in binary or memory: Start/Stop Count
Source: loaddll32.exe String found in binary or memory: Start/Stop Count
Source: loaddll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: loaddll32.exe String found in binary or memory: NATS-DANO-ADD
Source: loaddll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: loaddll32.exe String found in binary or memory: jp-ocr-b-add
Source: loaddll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: loaddll32.exe String found in binary or memory: jp-ocr-hand-add
Source: loaddll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: Start/Stop Count
Source: rundll32.exe String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe String found in binary or memory: NATS-DANO-ADD
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe String found in binary or memory: ISO_6937-2-add
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Register.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecial
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 644
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrial
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveApp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecial
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrial
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicense
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDays
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseType
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialData
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalled
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatin
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValue
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 644
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecial Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrial Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveApp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecial Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrial Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicense Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDays Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseType Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialData Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalled Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatin Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValue Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File written: C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Register.dll Static PE information: certificate valid
Source: Register.dll Static file information: File size 1081320 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D80C0 push 004D8146h; ret 0_2_004D813E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D7AB0 push 004D7B75h; ret 0_2_004D7B6D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00476048 push 00476074h; ret 0_2_0047606C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0049205C push 00492094h; ret 0_2_0049208C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042E14C push 0042E178h; ret 0_2_0042E170
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00456170 push 004561B3h; ret 0_2_004561AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D613C push 004D6162h; ret 0_2_004D615A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00466130 push 00466168h; ret 0_2_00466160
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004A41C8 push 004A4222h; ret 0_2_004A421A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004C61F0 push 004C621Ch; ret 0_2_004C6214
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042C228 push ecx; mov dword ptr [esp], edx 0_2_0042C22D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004542D0 push ecx; mov dword ptr [esp], ecx 0_2_004542D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004082DE push 00408345h; ret 0_2_0040833D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004082E0 push 00408345h; ret 0_2_0040833D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004AC2FC push 004AC367h; ret 0_2_004AC35F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00484280 push 004842E7h; ret 0_2_004842DF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0046A2B8 push 0046A2F0h; ret 0_2_0046A2E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0046E358 push 0046E39Bh; ret 0_2_0046E393
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004623BC push 004623E8h; ret 0_2_004623E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00494570 push 004945CAh; ret 0_2_004945C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0045A578 push 0045A5B0h; ret 0_2_0045A5A8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004C85BC push 004C8629h; ret 0_2_004C8621
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0049065C push 00490688h; ret 0_2_00490680
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00440620 push 00440663h; ret 0_2_0044065B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004206B8 push 00420705h; ret 0_2_004206FD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00490828 push 0049086Ah; ret 0_2_00490862
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00416908 push 00416E10h; ret 0_2_00416E08
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00422980 push ecx; mov dword ptr [esp], edx 0_2_00422985
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0043E9BC push 0043E9FDh; ret 0_2_0043E9F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00432A3C push 00432AA8h; ret 0_2_00432AA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00422AE4 push ecx; mov dword ptr [esp], edx 0_2_00422AE9

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Windows\System32\loaddll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 0_2_004C7378
Source: C:\Windows\System32\loaddll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 0_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 4_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 4_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_0430764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 12_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 12_2_004C764C

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Windows\System32\loaddll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 0_2_004C7378
Source: C:\Windows\System32\loaddll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 0_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 4_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 4_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_0430764C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 5_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 12_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d 12_2_004C764C
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00490074
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_004BE398
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00496D58 IsIconic, 0_2_00496D58
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient, 0_2_004BED60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 0_2_00496DD8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004BDA28 IsIconic,GetCapture, 0_2_004BDA28
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC, 0_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_00490074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_004BE398
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00496D58 IsIconic, 4_2_00496D58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient, 4_2_004BED60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 4_2_00496DD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004BDA28 IsIconic,GetCapture, 4_2_004BDA28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC, 4_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042D0074 IsIconic,GetWindowPlacement,GetWindowRect, 5_2_042D0074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042FE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 5_2_042FE398
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042FED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient, 5_2_042FED60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042D6D58 IsIconic, 5_2_042D6D58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042D6DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 5_2_042D6DD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042FDA28 IsIconic,GetCapture, 5_2_042FDA28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_042D9A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC, 5_2_042D9A24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect, 12_2_00490074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 12_2_004BE398
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00496D58 IsIconic, 12_2_00496D58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient, 12_2_004BED60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow, 12_2_00496DD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_004BDA28 IsIconic,GetCapture, 12_2_004BDA28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC, 12_2_00499A24
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\System32\loaddll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_004A0790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_004A0790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 5_2_042E0790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 12_2_004A0790
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 4.2 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.7 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.7 %
Queries keyboard layouts
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040C904 FindFirstFileW,FindClose, 0_2_0040C904
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040CB84 FindFirstFileW,GetLastError, 0_2_0040CB84
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 0_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0040C904 FindFirstFileW,FindClose, 4_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0040CB84 FindFirstFileW,GetLastError, 4_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 4_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0424C904 FindFirstFileW,FindClose, 5_2_0424C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0424CB84 FindFirstFileW,GetLastError, 5_2_0424CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04247618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 5_2_04247618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0040C904 FindFirstFileW,FindClose, 12_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_0040CB84 FindFirstFileW,GetLastError, 12_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 12_2_00407618
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040828E GetSystemInfo, 0_2_0040828E
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0426CE78 GetClassInfoW,UnregisterClassW,RegisterClassW,LdrInitializeThunk,SetWindowLongW, 5_2_0426CE78
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004CA434 cpuid 0_2_004CA434
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 0_2_00407814
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_00412370
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_00412322
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_00412324
Source: C:\Windows\System32\loaddll32.exe Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 0_2_0040794F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 4_2_00407814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_00412370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_00412322
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_00412324
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 4_2_0040794F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 5_2_04247814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 5_2_04252324
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 5_2_04252322
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 5_2_04252370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 5_2_0424794F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 12_2_00407814
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 12_2_00412370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 12_2_00412322
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 12_2_00412324
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW, 12_2_0040794F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040F2D4 GetLocalTime, 0_2_0040F2D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00430F78 GetTimeZoneInformation, 0_2_00430F78
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004D80C0 GetVersion, 0_2_004D80C0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: MsMpEng.exe
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\System32\loaddll32.exe Code function: cmd.exe /k ping 0_2_00484FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: cmd.exe /k ping 4_2_00484FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: cmd.exe /k ping 5_2_042C4FE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: cmd.exe /k ping 12_2_00484FE8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1531071 Sample: Register.dll Startdate: 10/10/2024 Architecture: WINDOWS Score: 30 7 loaddll32.exe 1 2->7         started        signatures3 35 Contains functionality to infect the boot sector 7->35 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 12 other processes 7->17 process4 signatures5 37 Contains functionality to infect the boot sector 10->37 19 WerFault.exe 18 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 16 15->23         started        25 WerFault.exe 17->25         started        27 WerFault.exe 17->27         started        29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        process6 process7 33 WerFault.exe 20 17 21->33         started       
No contacted IP infos