Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AIDE.dll

Overview

General Information

Sample name:AIDE.dll
Analysis ID:1541476
MD5:88bb7da02bb090f865c572342c3c0707
SHA1:631444929367bb3a0dcd8bc606c2fb886b301ebd
SHA256:f65fdf18113f4066bf0edf398ace48a01b181687368d1a29e517138d496b2de0
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5344 cmdline: loaddll32.exe "C:\Users\user\Desktop\AIDE.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3132 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1912 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 1220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2548 cmdline: rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@II@Z MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 604 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1268 cmdline: rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEFormatType@AIDE@@QAE@H@Z MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 3708 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@II@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6596 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3576 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEFormatType@AIDE@@QAE@H@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 716 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWritePrivateChunk MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6068 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetImageQuality MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1016 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetCompressionType MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4600 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetTileSize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1088 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParamsCustomLayers MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 368 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParams MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1112 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCustomEncodeParams MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2324 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCompressionScheme MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5580 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsDiableLayer MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2100 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDERawEncodeOptionsSetBlurMethod MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5660 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPalettizationTechnique MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4460 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPHYChunk MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6548 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetInterlaced MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1816 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetForcedPaletteCreation MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1912 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetFilterType MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2188 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetCompressionLevel MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6108 cmdline: rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetAttemptPaletteCreation MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AIDE.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: AIDE.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: Binary string: AIDE.pdb source: loaddll32.exe, 00000000.00000002.3388762896.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2195035465.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2189878555.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2189953587.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2221280907.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2295827128.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2295475339.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2242151164.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2243258186.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2299519975.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2318205841.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.2245018148.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.2243443995.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.2247807589.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.2247037175.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.2242070295.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2248831521.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2245169688.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2258313899.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.2250653537.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.2250123188.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2256345581.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.2248848969.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2261825532.000000006D427000.00000002.00000001.01000000.00000003.sdmp, AIDE.dll
Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 568
Source: AIDE.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: clean4.winDLL@92/20@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6728
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2548
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1912
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1268
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a012b798-eef4-4e3a-a255-4693fb88f4aeJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@II@Z
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\AIDE.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@II@Z
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 568
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 604
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@XZ
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 624
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEFormatType@AIDE@@QAE@H@Z
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 632
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@II@Z
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@XZ
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEFormatType@AIDE@@QAE@H@Z
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWritePrivateChunk
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetImageQuality
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetCompressionType
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetTileSize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParamsCustomLayers
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParams
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCustomEncodeParams
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCompressionScheme
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsDiableLayer
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDERawEncodeOptionsSetBlurMethod
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPalettizationTechnique
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPHYChunk
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetInterlaced
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetForcedPaletteCreation
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetCompressionLevel
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetAttemptPaletteCreation
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@II@ZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@XZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEFormatType@AIDE@@QAE@H@ZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@II@ZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@XZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEFormatType@AIDE@@QAE@H@ZJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWritePrivateChunkJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetImageQualityJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetCompressionTypeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetTileSizeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParamsCustomLayersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParamsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCustomEncodeParamsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCompressionSchemeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsDiableLayerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDERawEncodeOptionsSetBlurMethodJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPalettizationTechniqueJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPHYChunkJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetInterlacedJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetForcedPaletteCreationJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetCompressionLevelJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetAttemptPaletteCreationJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 632Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 604Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: AIDE.dllStatic PE information: More than 195 > 100 exports found
Source: AIDE.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: AIDE.dllStatic file information: File size 3224064 > 1048576
Source: AIDE.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x26ba00
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: AIDE.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: AIDE.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: AIDE.pdb source: loaddll32.exe, 00000000.00000002.3388762896.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2195035465.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2189878555.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2189953587.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2221280907.000000006D197000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2295827128.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2295475339.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2242151164.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2243258186.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2299519975.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2318205841.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.2245018148.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.2243443995.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.2247807589.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.2247037175.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.2242070295.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2248831521.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2245169688.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2258313899.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.2250653537.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.2250123188.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2256345581.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.2248848969.000000006D427000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2261825532.000000006D427000.00000002.00000001.01000000.00000003.sdmp, AIDE.dll
Source: AIDE.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AIDE.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AIDE.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AIDE.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AIDE.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: AIDE.dllStatic PE information: section name: IPPCODE
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.9.drBinary or memory string: VMware
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: vmci.sys
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: VMware20,1
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1541476 Sample: AIDE.dll Startdate: 24/10/2024 Architecture: WINDOWS Score: 4 7 loaddll32.exe 1 2->7         started        process3 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 22 other processes 7->15 process4 17 rundll32.exe 9->17         started        19 WerFault.exe 20 16 11->19         started        21 WerFault.exe 2 16 13->21         started        23 WerFault.exe 16 15->23         started        process5 25 WerFault.exe 31 17 17->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AIDE.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.9.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541476
Start date and time:2024-10-24 21:44:32 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:42
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:AIDE.dll
Detection:CLEAN
Classification:clean4.winDLL@92/20@0/0
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.168.117.173, 104.208.16.94
  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: AIDE.dll

Simulations

Behavior and APIs

TimeTypeDescription
15:45:31API Interceptor4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8bc36d909c559b6ea338ed316faee572ae62d6a0_7522e4b5_13970ce5-8fc5-44eb-a970-7b6994934808\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8647734121050142
Encrypted:false
SSDEEP:96:ldFkRp6iCLhVypsj94sSdv/fhjQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/Yyv:n9iwOpn00BU/wjeT8zuiFQZ24IO8dci
MD5:FD7BB3FB023700B2B86854EAAC54F559
SHA1:0ADA8671657B60D21F77217970B4B0CB49C9919B
SHA-256:3FA9298CEFDAD5D8925AED508CAA5E683919E8078AC87218C0EB215F83105D9E
SHA-512:200FC2E0BEE957972980A0E3A90335F2350AFE37D95A59067FD01DA9E37D3CCB4BDE27F8E88EF9A15300E2D88CAE89713D2A4EB03E1D2C6A6345FB5317D2CF11
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.7.3.1.1.9.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.8.3.7.4.3.8.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.9.7.0.c.e.5.-.8.f.c.5.-.4.4.e.b.-.a.9.7.0.-.7.b.6.9.9.4.9.3.4.8.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.5.d.d.4.b.a.-.b.7.6.6.-.4.7.9.2.-.a.2.b.5.-.1.7.3.3.7.7.7.3.d.e.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.f.4.-.0.0.0.1.-.0.0.1.5.-.d.5.8.e.-.f.9.4.5.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8bc36d909c559b6ea338ed316faee572ae62d6a0_7522e4b5_d9901553-cb92-4cd7-a298-84b8ea445ca5\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8646186575800656
Encrypted:false
SSDEEP:192:1MBi2Otn00BU/wjeT8zuiFQZ24IO8dci:Gi3tvBU/wjeIzuiFQY4IO8dci
MD5:D68166B6B9713DCA151016B1BC73F484
SHA1:333B27657BEBDB4FDFC3E94E947DC615B4CF3EC2
SHA-256:6CFDD817073D7E25C30971DBF0331C7D28455007A0BEBAAE2ECDB93FB6398185
SHA-512:AF9A85623A768A35F5FFACD5A27D375AFBDB5547D0422CEE5E4C044F16EA515821619920D7A04CCBD3D1E7DBF19925C0033EAF57370C74259F1A0FD9502E0826
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.7.2.9.5.7.0.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.8.2.9.5.6.9.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.9.0.1.5.5.3.-.c.b.9.2.-.4.c.d.7.-.a.2.9.8.-.8.4.b.8.e.a.4.4.5.c.a.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.5.7.a.1.0.a.-.9.6.8.f.-.4.3.a.2.-.9.b.e.e.-.0.c.3.0.0.5.c.7.3.0.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.7.8.-.0.0.0.1.-.0.0.1.5.-.4.0.7.a.-.f.b.4.5.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c42f13f4915a1555add63cb2a13088f4185d657b_7522e4b5_f8213d4f-3c7c-4f65-bd90-7e201c868190\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8645173483587538
Encrypted:false
SSDEEP:192:Lr5i0OdOnA0BU/wjeTEzuiFQZ24IO8dci:BiFkbBU/wjeQzuiFQY4IO8dci
MD5:D754EA6D7E971B71C38FBE2F0DF03F19
SHA1:332CC8F7C297B7A5500DA9C026038EAD195B0533
SHA-256:3703C4F7A6806A16B1FE674CC1A694EF6A24B56C8E87EB20C0F60B2B97048B64
SHA-512:682CD1CFEE24D2A684C20B7FDBE36537AFFDAAD743EE57644A1A541124BF62FB89FE17C8FB1D8629EBA256CAF5E9ABD6909108CD8FB59E563BA7C357A3993F84
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.2.7.2.9.9.3.0.1.3.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.2.7.3.0.3.2.0.7.5.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.2.1.3.d.4.f.-.3.c.7.c.-.4.f.6.5.-.b.d.9.0.-.7.e.2.0.1.c.8.6.8.1.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.2.b.4.3.e.8.-.2.e.2.f.-.4.f.6.d.-.b.7.6.f.-.1.f.0.3.7.7.b.8.2.6.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.8.-.0.0.0.1.-.0.0.1.5.-.5.1.f.5.-.c.6.4.7.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c8996f612b49173415ae526f81d4acc39bc15c_7522e4b5_16e32c9f-8e31-43f7-b680-d5906805550a\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8646047505851667
Encrypted:false
SSDEEP:96:G1Fs6iphVy+sj94sSdv/fh+QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4O:afipO+nR0BU/wjeTMzuiFQZ24IO8dci
MD5:62A44A5E7E7D869BED070E0EEF1F705E
SHA1:119832442C90D09BC7BA650100BC76B1486F8D33
SHA-256:EE0BF3D8BC221AFF58C2E906D847BB9B7B06AB7EB2FFF43F7467A1A56218EDB5
SHA-512:42A2B293CE544B35C9F957C67BA2966E40EE6526C851DA60512B3E33FF91E0D39B54FB9C58D78AD6CEDA6A7CDFF4E2ACA013ECFDA62E4FB21CA03612213491EE
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.2.7.3.2.9.4.1.8.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.2.7.3.3.2.7.0.0.2.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.e.3.2.c.9.f.-.8.e.3.1.-.4.3.f.7.-.b.6.8.0.-.d.5.9.0.6.8.0.5.5.5.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.2.7.1.5.e.e.-.1.2.9.b.-.4.4.7.7.-.a.a.9.3.-.3.6.1.f.5.5.5.d.2.2.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.4.-.0.0.0.1.-.0.0.1.5.-.a.b.1.c.-.9.3.4.9.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE504.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 24 19:45:27 2024, 0x1205a4 type
Category:dropped
Size (bytes):42934
Entropy (8bit):1.9467745749728307
Encrypted:false
SSDEEP:96:568ERESAYXgjiYFZob8Ykxm6TSE2goEloi75I4v46geqrlNLHnbaGA2y3+BH2rKC:HERyR/pctESO5H4wP+y3KPJa+fuFuLy
MD5:AE0E384FCE614C64D5C1E8EA674717D4
SHA1:8D3277BAA2E5CFC11475F14D4830B921E87C991E
SHA-256:8139116D528C9D97D1A5C65C71006BC904E22D666E91CF5F68B71BEDEBD4AFBD
SHA-512:95C93075350F77C1579023E06C6ABC9B08C92509BAA089A0D71C8F0FDB2CE742137C823B343A4DF2EF0BEE2A6C279F13B3612223B1A7058BE34F74B70A455E0A
Malicious:false
Preview:MDMP..a..... .........g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.............g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE514.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 24 19:45:27 2024, 0x1205a4 type
Category:dropped
Size (bytes):51130
Entropy (8bit):1.8109183029570783
Encrypted:false
SSDEEP:192:H4d46WCaAjO5H4adggN++SXDAfCGygQUTT:YNa5HC+SMfC7UT
MD5:82B4C26AA5E2194534132859C5C253AB
SHA1:48C41BFE18FE3E98CC4A4CAE19266832A98AD8AE
SHA-256:EB2D3522460F2752AB5F070BCA4C53490431203AB13157894BB49DD04DF656CB
SHA-512:88316528B3C68A54EBD467693E3CF3F3E174B2D59DA30AC7CAAC8A8A1BA9F53C4FD21025C176125E5A979CE5DA25C88F4639F27112A1BA8B25ED83D50459EF46
Malicious:false
Preview:MDMP..a..... .........g.........................................,..........T.......8...........T...........8...........................................................................................................eJ......\.......GenuineIntel............T.......x.....g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5F0.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8258
Entropy (8bit):3.693665793837194
Encrypted:false
SSDEEP:192:R6l7wVeJeR6IVw6Y0L6pwgmfTpqHprA89btDsftvm:R6lXJw6IVw6YY6pwgmfTAntofo
MD5:D3B0833D0133058FE583049320DD1670
SHA1:3AD12EE76ADCF62FF27A5F179EE90B371B6337E8
SHA-256:C10BC64493A8488512BD12776D74FA47E9445695131B393F348E2F28F9B2858F
SHA-512:1AE57FB12117BD3B81EFE63FD1065C4F71A761528C272B52FF75C36ED2EFC37C5CB0D14BDC02FDB7191CC1F0B675CBEE93763AA4227FD9C745DA12308B46E9C4
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60F.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8254
Entropy (8bit):3.6922455225976463
Encrypted:false
SSDEEP:192:R6l7wVeJeju6Ie76Y4D66lgmfTpqHprp89bt6sfFLvm:R6lXJwu6Ie76Yy66lgmfTA8tZf0
MD5:A183EDC9641956BE151A4F96C701DACE
SHA1:297D5B017128B7FCEA75F65EB1DEC547333FE8DD
SHA-256:47BC9CC5B2C3F69BF58F2AC15EF0D5BFC670171508CD3635A921C30C17F8F467
SHA-512:C5488679F93DFB92B5AD0912642E701EAE3A5CF9748ABA658E8C52BC066FC5F5D9E4B6E358073EDE3F5412A64B642E5C562F7715A35D8401FEE6BA5532F7B7F2
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE63F.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4646
Entropy (8bit):4.46805298872925
Encrypted:false
SSDEEP:48:cvIwWl8zsWJg77aI974WpW8VYXbYm8M4JCdPxZFHKj+q8/ku10GScS1d:uIjfsI7hx7VW+Jvj20J31d
MD5:36EFB9A88A2B1E6E33DA299CA899F2FF
SHA1:4C902AF9ED04460688275E58A15781D8B758A983
SHA-256:D5A23D9CAA503D9A610A60EF4CAE3B8AF2E120F3AB980E39D6F728F1FCE2EFDE
SHA-512:DCE10646BD7E8EB169440B02486DD6C85FCAA591CD880B010C53E6D3DD149B96F3DE23334F5A81FEB6856D40839DAF26C522962CC77067F2182B527BFC1EBD9A
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE64F.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4646
Entropy (8bit):4.465705968758028
Encrypted:false
SSDEEP:48:cvIwWl8zsWJg77aI974WpW8VYXZYm8M4JCdPxZF4yj+q8/kuX0GScSid:uIjfsI7hx7VWIJUk0J3id
MD5:BD5DB1A2530D1A07C55392ADF0E7A309
SHA1:F33BDCB72855F91716590D42AEAC72422CE7177C
SHA-256:964E1733D2CFD4C049813E25F148A3DEC087EECD07935E1D2F8580B9E2CAF13B
SHA-512:B5BA8598E90B5224078A2BD09F459489737F7EAB933D76786E5BD73F1F94643E642FE5EB640C45A00A2B4687C24AC7670E3FE45AFCA84D63455B9390EB3F4023
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF45.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 24 19:45:30 2024, 0x1205a4 type
Category:dropped
Size (bytes):41690
Entropy (8bit):2.0158317933178034
Encrypted:false
SSDEEP:192:GEi49R/f9PO5H4wfDpHOJmQSU7NiASRQpIuZ:5s5HBDpu3SY
MD5:EF2A7EAF2736DE813765B11AD1EE613B
SHA1:AE673772E685E99E52D362C857D3F7371C7FC05E
SHA-256:989FEEF90C27E15CFC14CF577CF352E684A830803D89064FABD91B95412162EF
SHA-512:AAC8DE23BBEDF89B0759D11CF44DBA9A7EE145BD82044373865AD2AD0B1712F93684D235EEE18FFCC125D55D84C97F34AEB4B11F139DD61E3E6C93834E6172CB
Malicious:false
Preview:MDMP..a..... .........g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.......H.....g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFA4.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8258
Entropy (8bit):3.6939129664666135
Encrypted:false
SSDEEP:192:R6l7wVeJudl6Ic26Y0A6PBgmfTpuHprG89bjysfdBm:R6lXJG6Ic26Yj6ZgmfT81jxfy
MD5:B6AA90C11F96355F2B43D1B229CE9D55
SHA1:1B43C8BC10954DE6E78614217E41277EA04B94C2
SHA-256:4EEBBB2226012B359B3794F2F8963BB06DA802BD6AC3DD0455D593862CACBB46
SHA-512:6045076C6151E9D9C37533BD0742DF204CFBB3FF47BAB5021997A5E3EFCF830224284FFE6B8057A12F13B92EBF0C15B1B0A98A339F710A41AA1B7CDB38130E44
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFD4.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4646
Entropy (8bit):4.4684479616876525
Encrypted:false
SSDEEP:48:cvIwWl8zsWJg77aI974WpW8VYXXvYm8M4JCdPLFi+q8/kDy0GScSkd:uIjfsI7hx7VWXyJDK0J3kd
MD5:B6B438E459D6C7799D850316E17389E1
SHA1:483F81E6C33FFAE13AB6884041F739518F59A27E
SHA-256:52ABEAB91976BDA3C964D440D01942BA7576E79E3EC58DD3F19E4BC2DC279786
SHA-512:CCC263F4E29FF705A17A10C8D09BE879421FADB734C992447589E5909D1215A2D4FFF93DCA7E60D5EF0AE510CFBBD21DB98CF377F3E87425954B5EA19692EAD2
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB0D.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Oct 24 19:45:33 2024, 0x1205a4 type
Category:dropped
Size (bytes):43986
Entropy (8bit):1.8970553399312238
Encrypted:false
SSDEEP:96:5k8EICNBmYXgjiYFZob8Yoxmn3E7MQwbNJoi75I4v4qii0BRBHkrKVkjS68LWx4H:JEICCR/VdMdcO5H4psbiiLsyotTqFu
MD5:1F813034B79E3D946DCA229FE74BDAB3
SHA1:0C47D9A36B4123FE5DA285B500A527340B2C54D5
SHA-256:6B610A337E74B3B6AEAAB5D4F4F2FCCA7B91F5C8E789937957688A6F40625869
SHA-512:F18235B66E716E94DCB8057CBAF14D8DE35735425EF802F80C33DBBFCB62601325509F4C21D6F24131F6A0C95C088EDE507CA67438D0D049B826AF1529A686AF
Malicious:false
Preview:MDMP..a..... .........g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.............g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB8B.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8258
Entropy (8bit):3.6919559627820484
Encrypted:false
SSDEEP:192:R6l7wVeJgP6IcOl6Y0K6hgmfTpRHprG89bo9sfTYm:R6lXJQ6Ic06Y56hgmfTv1o2fp
MD5:07A3173255FF8A0110358D05BABE6215
SHA1:9F68094D53C8E9B30DC8B25F07282BDC0EA2E9B4
SHA-256:019A734F4D29C40D160037E700C845D1D66EE322D2BF12B477931A6D55DACFEC
SHA-512:AE9DB5B1C05064334D2248F2C88E2D942C929D93D7CE3F66DADD40F11898B75EAAA13F32A9314691C324DE6CABB6930A3ED3551815E3A29D3A07393F82D818A1
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBBB.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4646
Entropy (8bit):4.467623285387864
Encrypted:false
SSDEEP:48:cvIwWl8zsWJg77aI974WpW8VYXJYm8M4JCdP6Fr0+q8/kK10GScShd:uIjfsI7hx7VWYJM80J3hd
MD5:8BA9B84E1E97EEB65CF20A461CF07823
SHA1:78A21C6BD4DCBA7F1005BF23B96BA0E87D23EF5F
SHA-256:ADFFFB4317173351050795595BC9E310F388C2D70374734AF712983BE3E2B9C3
SHA-512:E0646D933760CDB648885E77A668D576732B4FA10A01B665F5068801A9CF5F6AA8BCF8EEB8EFFDA2D04660AE4F4E9806B01A562BF8683B89B397E812353D2F46
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.469168066701271
Encrypted:false
SSDEEP:6144:HzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:TZHtYZWOKnMM6bFppj4
MD5:02FB53D5F03DC3CA752D80F8153988A4
SHA1:50737BB481CCA75ACC775E829B399ABC26B04F38
SHA-256:0111D5662E7742F8A69656C15EB4502F6B6A915479FA00A937B786A4FD890F71
SHA-512:A1FD9D18C637DC4441AAAF44AB52313029BE47DB798649C5BEAFB2EDA07BD60BA23A961098F800E4AFB4698B1DA87C0C812B4195AF196B8FFFDB5D8DBDECB939
Malicious:false
Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.`IFM&...............................................................................................................................................................................................................................................................................................................................................,_r........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):8192
Entropy (8bit):2.075277690065852
Encrypted:false
SSDEEP:48:YrHV6eEr0bfkoxpqGZqS3eXFPjrjlApl7VplUplEAl17NgJl5XJAPknHmO:YroeEIrkQqGZuXZALxLULEvz9n5
MD5:6A5CBF9F612EE5669CC1A7A6C07AFB9F
SHA1:C4846325D9E0661B06B21A47CDA74D3474A8CAF3
SHA-256:4A8D8F2AC42CCFE7A3712B63316EB06C6FD50EAA9D8AE626894CCD189785FAB4
SHA-512:1FA65ACCA8F2206205CD9C5FFFE6C52CAA9652714AF4B85A977AEE8074514B95623C6E3D5536CF08F69B7C97FF5FACFADFBC1669BCA14D3CEC57D8B6C77BA46F
Malicious:false
Preview:regf........`.PFM&.................. ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...Z...Jc...-...-$.Z...Jc...-...-$.....[...Jc...-...-$.rmtm..RFM&..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):8192
Entropy (8bit):2.10899319099567
Encrypted:false
SSDEEP:48:ItHVbQeEr0bfkoxpqGZqS3eXFPjrjlApl7VplUplEAl17NgJl5XJAPknHmO:It9QeEIrkQqGZuXZALxLULEvz9n5
MD5:DCF1110E76D0933FCD24B7435FDA33EB
SHA1:CB9DB53026F6F4FC1B9B473FCAF437D3771F67C8
SHA-256:F5B393783F454F27C26576382F64DC507CCC759B7DE9FE9D8C9BC9B4F8640B93
SHA-512:350462C37442C50E60DC8A3C18078206B886FC030E26B9D6618F725AA7D6C78BCBB2E82DD8952E6163EF36F8498DC69BBFBDB5644749CDD8F28DBE6608D6FF0D
Malicious:false
Preview:regf........`.PFM&.................. ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...Z...Jc...-...-$.Z...Jc...-...-$.....[...Jc...-...-$.rmtm..RFM&..................................................................................................................................................................................................................................................................................................................................................HvLE....................K.(.P.... ...2.........hbin................`.PFM&..........nk,...RFM&...... .......................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`.........(.CreatingCommando....C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .1.9.1.

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG2

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):8192
Entropy (8bit):2.0284110781435225
Encrypted:false
SSDEEP:48:ItHVhgbeEr0bffxpq3SWS3eXFPjrjlApl7VplUplEAl17NgJl5XJAPkJHO:It/4eEIrPqizuXZALxLULEvz9Ju
MD5:C0A468CD245E58C6C496CD30B2581E7F
SHA1:27164CA564DEA37EDC5CBA1AB2BA097771D58042
SHA-256:2AF19551C47BD1406C337BDCABD1582691940209BA681A4C79323A99C3F8B1E4
SHA-512:3973B257EF555F839144CC7D7E62E355F4B88522C51023F762BF7735681828A99E49CA1089A7FEEBB03587CFF3927E3C0653A62DAAFD205CB76F4AFADA5F4376
Malicious:false
Preview:regf........`.PFM&.................. ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p...Z...Jc...-...-$.Z...Jc...-...-$.....[...Jc...-...-$.rmtm..RFM&..................................................................................................................................................................................................................................................................................................................................................HvLE....................6..Y.w....8..'........hbin................`.PFM&..........nk,...RFM&..............................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`.........(.CreatingCommando....C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .1.9.1.

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.64334674740505
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:AIDE.dll
File size:3'224'064 bytes
MD5:88bb7da02bb090f865c572342c3c0707
SHA1:631444929367bb3a0dcd8bc606c2fb886b301ebd
SHA256:f65fdf18113f4066bf0edf398ace48a01b181687368d1a29e517138d496b2de0
SHA512:2425b5438e1edb47ba77c130522c36ac1a3b9be03f14418d2217aa209be13c5d811a28238eded3e56c7aaa30ce56f85c73959ec1286334a135b011eb2951db55
SSDEEP:49152:hr2dsUtswYLENDuee1os5iUwYg84HHtGeQ1+704nHITg:EbMee1os5m84HHqKF
TLSH:3AE58C40E6D3A165E1AA05B0907FAB6AAD3C2B241318C5F7D3C4ED7878317C27672B97
File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........ur..............l.......l.......l.......l.......l.......l..........^...................um......................um..4...um.....

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x10266db0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:0x63F0C9E2 [Sat Feb 18 12:51:46 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:8ee2afb2a634d81da6694cec5013d213

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F25D4649147h
call 00007F25D46493A8h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F25D4648FF3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F25D4647D94h
pop ecx
pop ebp
ret
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 102E3FC4h
mov dword ptr [ecx], 10299438h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F25D464911Fh
push 102F956Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F25D4649482h
int3
jmp 00007F25D46494F8h
int3
int3
int3
int3
int3
push 10266E70h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [10303304h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x2f95900x2164.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x2fb6f40x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3140000x6e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3150000x1001c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x2eef800x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x2ef0000x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2eeec00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2970000x250.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x26b94b0x26ba007c78a4ae4f0b99c76b0de592c53a9e56unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
IPPCODE0x26d0000x293750x29400301bd2a4c4023e7b8ef4d2800d3f5ad5False0.11089015151515151data6.193681267415867IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2970000x65a040x65c00160d3d5ad86e11a1b1da464513c27649False0.24074785012285013data5.065979306424012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2fd0000x16e1c0x7a00b215ed69325c4a9c5046198f49dce453False0.26005379098360654data4.544523456831283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x3140000x6e00x80013b09b33b96fb2af0721bbe31f712d6fFalse0.39208984375data3.7054302229261653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3150000x1001c0x1020000f8b6c67ed2e29d40205eb3f6e3ba53False0.7304384689922481data6.710450687816106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x3140a00x4c0dataEnglishUnited States0.44161184210526316
RT_MANIFEST0x3145600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
WindowsCodecs.dllWICConvertBitmapSource
KERNEL32.dllInitializeSListHead, DisableThreadLibraryCalls, CloseHandle, WaitForSingleObject, CreateThread, GetSystemInfo, ReleaseSemaphore, CreateSemaphoreA, FreeLibrary, GetProcAddress, LoadLibraryA, IsProcessorFeaturePresent, GetTempPathA, DeleteFileA, GetTempFileNameA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, EnterCriticalSection
ole32.dllCoInitializeEx, PropVariantClear, CoCreateInstance
MSVCP140.dll??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ?_Xlength_error@std@@YAXPBD@Z, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
VCRUNTIME140.dll__current_exception, __current_exception_context, _except_handler4_common, __std_type_info_destroy_list, strstr, strrchr, _setjmp3, __CxxLongjmpUnwind, longjmp, memchr, memset, memmove, __CxxFrameHandler3, _CxxThrowException, __std_exception_destroy, __std_exception_copy, __std_terminate, _purecall, memcpy
api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _wassert, _invalid_parameter_noinfo_noreturn, exit, _initterm, _cexit, abort, _initialize_narrow_environment, terminate, _seh_filter_dll, _configure_narrow_argv, _crt_atexit, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table
api-ms-win-crt-math-l1-1-0.dll_libm_sse2_log_precise, floor, _libm_sse2_exp_precise, frexp, _CIatan2, _libm_sse2_log10_precise, _libm_sse2_pow_precise, ceil, _libm_sse2_sqrt_precise, ldexp
api-ms-win-crt-heap-l1-1-0.dllcalloc, free, _callnewh, realloc, _aligned_free, _aligned_malloc, malloc
api-ms-win-crt-stdio-l1-1-0.dllfeof, fopen_s, fseek, __acrt_iob_func, fwrite, fflush, fread, fclose, __stdio_common_vsnprintf_s, __stdio_common_vsprintf, __stdio_common_vfprintf, ftell
api-ms-win-crt-utility-l1-1-0.dllbsearch, rand, srand, qsort
api-ms-win-crt-convert-l1-1-0.dllatoi
api-ms-win-crt-environment-l1-1-0.dllgetenv
api-ms-win-crt-string-l1-1-0.dllstrncmp, tolower

Exports

NameOrdinalAddress
??0AIDEDimension@AIDE@@QAE@II@Z10x1010df50
??0AIDEDimension@AIDE@@QAE@XZ20x1010df70
??0AIDEFormatType@AIDE@@QAE@H@Z30x1010df80
??0AIDEFormatType@AIDE@@QAE@XZ40x1010df90
??0AIDEInputOutputStreamCallBacks@AIDE@@QAE@XZ50x1010dfa0
??0AIDEInputStreamCallBacks@AIDE@@QAE@XZ60x1010dfc0
??0AIDELibInitCallBacks@AIDE@@QAE@XZ70x1010dfe0
??0AIDEOutputStreamCallBacks@AIDE@@QAE@XZ80x1010df90
??0AIDEPoint@AIDE@@QAE@II@Z90x1010df50
??0AIDEPoint@AIDE@@QAE@XZ100x1010df70
??0AIDEProgressCallback@AIDE@@QAE@XZ110x1010df90
??0ComponentInfo@AIDE@@QAE@IW4AIDEComponentType@1@@Z120x1010df50
??0ComponentInfo@AIDE@@QAE@XZ130x1010df70
??0PaletteInfo@AIDE@@QAE@XZ140x1010e010
??0PixelPartInfo@AIDE@@QAE@XZ150x100f98b0
??1AIDEDimension@AIDE@@QAE@XZ160x100f9b30
??1AIDEFormatType@AIDE@@QAE@XZ170x100f9b30
??1AIDEInputOutputStreamCallBacks@AIDE@@QAE@XZ180x100f9b30
??1AIDEInputStreamCallBacks@AIDE@@QAE@XZ190x100f9b30
??1AIDELibInitCallBacks@AIDE@@QAE@XZ200x100f9b30
??1AIDEOutputStreamCallBacks@AIDE@@QAE@XZ210x100f9b30
??1AIDEPoint@AIDE@@QAE@XZ220x100f9b30
??1AIDEProgressCallback@AIDE@@QAE@XZ230x100f9b30
??1ComponentInfo@AIDE@@QAE@XZ240x100f9b30
??1PaletteInfo@AIDE@@QAE@XZ250x100f9b30
??1PixelPartInfo@AIDE@@QAE@XZ260x100f9b30
??4AIDEDimension@AIDE@@QAEAAU01@ABU01@@Z270x100f9b50
??4AIDEFormatType@AIDE@@QAEAAU01@ABU01@@Z280x100f9b70
??4AIDEInputOutputStreamCallBacks@AIDE@@QAEAAU01@ABU01@@Z290x100f9b80
??4AIDEInputStreamCallBacks@AIDE@@QAEAAU01@ABU01@@Z300x100f9ba0
??4AIDELayerSize@AIDE@@QAEAAU01@ABU01@@Z310x100f9b50
??4AIDELibInitCallBacks@AIDE@@QAEAAU01@ABU01@@Z320x100f9b80
??4AIDEOutputStreamCallBacks@AIDE@@QAEAAU01@ABU01@@Z330x100f9b70
??4AIDEPoint@AIDE@@QAEAAU01@ABU01@@Z340x100f9b50
??4AIDEProgressCallback@AIDE@@QAEAAU01@ABU01@@Z350x100f9b70
??4ComponentInfo@AIDE@@QAEAAU01@ABU01@@Z360x100f9b50
??4PaletteInfo@AIDE@@QAEAAU01@ABU01@@Z370x100f9bc0
??4PixelPartInfo@AIDE@@QAEAAU01@ABU01@@Z380x100f9be0
?AIDEDecodeOptionsSetComponentOrder@@YA?AW4AIDEError@AIDE@@PAVDecodeOptions@Impl@2@W4AIDEComponentOrder@2@I@Z390x10106a70
?mVersion@AIDEInputOutputStreamCallBacks@AIDE@@2IB400x10299410
?mVersion@AIDEInputStreamCallBacks@AIDE@@2IB410x10299404
?mVersion@AIDELibInitCallBacks@AIDE@@2IB420x10299400
?mVersion@AIDEOutputStreamCallBacks@AIDE@@2IB430x1029940c
?mVersion@AIDEProgressCallback@AIDE@@2IB440x10299408
AIDECreateLibInstance450x10106b40
AIDEDecodeOptionsSetBitDepth460x10106ca0
AIDEDecodeOptionsSetColorSpace470x10106d70
AIDEDecodeOptionsSetDirectDecode480x10106e40
AIDEDecodeOptionsSetImageOrientation490x10106f10
AIDEDecodeOptionsSetImageResampling500x10106fe0
AIDEDecodeOptionsSetIntValue510x101070e0
AIDEDecodeOptionsSetMaxDimensions520x101071e0
AIDEDecodeOptionsSetNoDecodeErrors530x101072e0
AIDEDecodeOptionsSetPackingType540x101073b0
AIDEDecodeOptionsSetPalette550x10107480
AIDEDecodeOptionsSetPrivateChunkNames560x10107550
AIDEDecodeOptionsSetTransparency570x10107620
AIDEDecoderDecodeNextImage580x101076f0
AIDEDecoderDecodeNextTile590x10107730
AIDEDecoderFillPixelPartBuffers600x10107770
AIDEDecoderGetColorInfo610x10107880
AIDEDecoderGetColorSpace620x10107970
AIDEDecoderGetCommonColorBitDepth630x10107a60
AIDEDecoderGetComponentCount640x10107b50
AIDEDecoderGetComponentInfo650x10107c40
AIDEDecoderGetDirectDecode660x10107d80
AIDEDecoderGetEXIF_1_Data670x10107dc0
AIDEDecoderGetEXIF_3_Data680x10107e00
AIDEDecoderGetFormatType690x10107e40
AIDEDecoderGetGlobalTransparencyIndex700x10107e90
AIDEDecoderGetICCProfile710x10107ec0
AIDEDecoderGetIPTCData720x10107f00
AIDEDecoderGetImageResolution730x10107f50
AIDEDecoderGetImageSize740x10108030
AIDEDecoderGetMetaDataBlob750x10108130
AIDEDecoderGetMetaDataBlobAtIndex760x10108180
AIDEDecoderGetMetaDataBlobClientBuffer770x101081e0
AIDEDecoderGetMetaDataIntegerValue780x10108230
AIDEDecoderGetPackingInfo790x10108280
AIDEDecoderGetPaletteColorInfo800x10108380
AIDEDecoderGetPaletteFullyTransparentValue810x10108470
AIDEDecoderGetPaletteInfo820x10108550
AIDEDecoderGetPaletteTransparencyType830x101086f0
AIDEDecoderGetPixelPartInfo840x10108730
AIDEDecoderGetPixelPartInfoBigFilesSupported850x101087b0
AIDEDecoderGetTileInfo860x10108920
AIDEDecoderGetTransparencyType870x101089c0
AIDEDecoderGetXMPData880x10108a00
AIDEDecoderHasPalettedComponent890x10108a40
AIDEDecoderSetMaxTileBufferSize900x10108b30
AIDEDecoderSetMaxTileBufferSizeBigFilesSupported910x10108b70
AIDEDestroyLibInstance920x10108bb0
AIDEEncoderEncodeNRows930x10108bd0
AIDEEncoderEncodeNextImage940x10108d40
AIDEEncoderFinishEncoding950x10108e20
AIDEEncoderGetFormatType960x10108fb0
AIDEEncoderRegisterProgressCallback970x101090a0
AIDEEncoderSetColorSpace980x101091b0
AIDEEncoderSetCommonColorBitDepth990x10109290
AIDEEncoderSetEXIF_1_Data1000x10109370
AIDEEncoderSetEXIF_3_Data1010x10109460
AIDEEncoderSetICCProfile1020x10109550
AIDEEncoderSetIPTCData1030x10109640
AIDEEncoderSetImageResampling1040x10109730
AIDEEncoderSetImageResolution1050x10109830
AIDEEncoderSetImageSize1060x10109920
AIDEEncoderSetMetaDataBlob1070x10109a20
AIDEEncoderSetMetaDataIntegerValue1080x10109b00
AIDEEncoderSetPaletteFullyTransparentIndex1090x10109be0
AIDEEncoderSetPaletteInfo1100x10109cc0
AIDEEncoderSetPaletteTransparencyType1110x10109e10
AIDEEncoderSetPixelPartInfo1120x10109ef0
AIDEEncoderSetPixelPartInfoBigFilesSupported1130x10109f20
AIDEEncoderSetTileInfo1140x1010a040
AIDEEncoderSetTransparencyType1150x1010a1b0
AIDEEncoderSetXMPData1160x1010a290
AIDEEncoderWriteHeader1170x1010a380
AIDEEncoderWritePixelPartBuffers1180x1010a4e0
AIDEJXREncodeOptionsSetAlphaChannelFormat1190x1010a5e0
AIDEJXREncodeOptionsSetAlphaChannelQuality1200x1010a6b0
AIDEJXREncodeOptionsSetBitStreamOrdering1210x1010a780
AIDEJXREncodeOptionsSetChromaSubSampling1220x101073b0
AIDEJXREncodeOptionsSetCompressionType1230x1010a850
AIDEJXREncodeOptionsSetImageQuality1240x1010a920
AIDEJXREncodeOptionsSetOverlapLevel1250x1010a9f0
AIDEJXREncodeOptionsSetTilingSlices1260x1010aac0
AIDEJpegEncodeOptionsSetAIQuality1270x1010ab90
AIDEJpegEncodeOptionsSetCustomQuality1280x1010ac60
AIDEJpegEncodeOptionsSetEncodeMethod1290x1010ad30
AIDEJpegEncodeOptionsSetEncodeMode1300x1010ae00
AIDEJpegEncodeOptionsSetPackingType1310x1010aed0
AIDEJpegEncodeOptionsSetQualityLevel1320x1010af60
AIDEJpegEncodeOptionsSetSave4WebQuality1330x1010b030
AIDEJpegEncodeOptionsSetUseClipping1340x1010b100
AIDELibBuildDate1350x1010b1d0
AIDELibCreateBmpEncodeOptions1360x1010b1e0
AIDELibCreateDecodeOptions1370x1010b2b0
AIDELibCreateDecoder1380x1010b380
AIDELibCreateDecoderForFormatType1390x1010b490
AIDELibCreateEncoderForBMP1400x1010b920
AIDELibCreateEncoderForGIF1410x1010ba50
AIDELibCreateEncoderForICON1420x1010bb80
AIDELibCreateEncoderForJPEG1430x1010bcb0
AIDELibCreateEncoderForJXR1440x1010bde0
AIDELibCreateEncoderForPDF1450x1010bf10
AIDELibCreateEncoderForPNG1460x1010c040
AIDELibCreateEncoderForRAW1470x1010c170
AIDELibCreateEncoderForTIFF1480x1010c2a0
AIDELibCreateEncoderForWEBP1490x1010c3d0
AIDELibCreateGifEncodeOptions1500x1010c500
AIDELibCreateIconEncodeOptions1510x1010b1e0
AIDELibCreateInputOutputStream1520x1010c5d0
AIDELibCreateInputStream1530x1010c6e0
AIDELibCreateInputStreamUncached1540x1010c800
AIDELibCreateJXREncodeOptions1550x1010c920
AIDELibCreateJpegEncodeOptions1560x1010c9f0
AIDELibCreateOutputStream1570x1010cac0
AIDELibCreatePdfEncodeOptions1580x1010b1e0
AIDELibCreatePngEncodeOptions1590x1010cbc0
AIDELibCreateRawEncodeOptions1600x1010cc90
AIDELibCreateTiffEncodeOptions1610x1010cd60
AIDELibCreateWebPEncodeOptions1620x1010ce30
AIDELibDestroyBmpEncodeOptions1630x1010cf00
AIDELibDestroyDecodeOptions1640x1010cf20
AIDELibDestroyDecoder1650x1010cf40
AIDELibDestroyEncoder1660x1010cf40
AIDELibDestroyGifEncodeOptions1670x1010cf70
AIDELibDestroyIconEncodeOptions1680x1010cf00
AIDELibDestroyInputOutputStream1690x1010cf90
AIDELibDestroyInputStream1700x1010cfb0
AIDELibDestroyJXREncodeOptions1710x1010cfd0
AIDELibDestroyJpegEncodeOptions1720x1010cf00
AIDELibDestroyOutputStream1730x1010cff0
AIDELibDestroyPdfEncodeOptions1740x1010cf00
AIDELibDestroyPngEncodeOptions1750x1010cf00
AIDELibDestroyRawEncodeOptions1760x1010cf00
AIDELibDestroyTiffEncodeOptions1770x1010d010
AIDELibDestroyWebPEncodeOptions1780x1010cf00
AIDELibVersion1790x1010d030
AIDEPngEncodeOptionsSetAttemptPaletteCreation1800x1010d090
AIDEPngEncodeOptionsSetCompressionLevel1810x10106ca0
AIDEPngEncodeOptionsSetFilterType1820x1010d160
AIDEPngEncodeOptionsSetForcedPaletteCreation1830x1010d230
AIDEPngEncodeOptionsSetInterlaced1840x10107480
AIDEPngEncodeOptionsSetPHYChunk1850x1010d300
AIDEPngEncodeOptionsSetPalettizationTechnique1860x1010d3d0
AIDERawEncodeOptionsSetBlurMethod1870x1010d4a0
AIDETiffEncodeOptionsDiableLayer1880x1010d580
AIDETiffEncodeOptionsSetCompressionScheme1890x1010d650
AIDETiffEncodeOptionsSetCustomEncodeParams1900x1010d720
AIDETiffEncodeOptionsSetPyramidParams1910x1010d7f0
AIDETiffEncodeOptionsSetPyramidParamsCustomLayers1920x1010d8f0
AIDETiffEncodeOptionsSetTileSize1930x1010d9f0
AIDEWebPEncodeOptionsSetCompressionType1940x1010daf0
AIDEWebPEncodeOptionsSetImageQuality1950x1010dbc0
AIDEWritePrivateChunk1960x1010dc90

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\AIDE.dll"
Imagebase:0x640000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:1
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@II@Z
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",#1
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 568
Imagebase:0x1a0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:15:45:26
Start date:24/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 604
Imagebase:0x1a0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:11
Start time:15:45:29
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEDimension@AIDE@@QAE@XZ
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:13
Start time:15:45:29
Start date:24/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 624
Imagebase:0x1a0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:14
Start time:15:45:32
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\AIDE.dll,??0AIDEFormatType@AIDE@@QAE@H@Z
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:15:45:32
Start date:24/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 632
Imagebase:0x1a0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@II@Z
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEDimension@AIDE@@QAE@XZ
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",??0AIDEFormatType@AIDE@@QAE@H@Z
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWritePrivateChunk
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetImageQuality
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEWebPEncodeOptionsSetCompressionType
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetTileSize
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParamsCustomLayers
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetPyramidParams
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCustomEncodeParams
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsSetCompressionScheme
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDETiffEncodeOptionsDiableLayer
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDERawEncodeOptionsSetBlurMethod
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPalettizationTechnique
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetPHYChunk
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:15:45:35
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetInterlaced
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:15:45:36
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetForcedPaletteCreation
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:15:45:36
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetFilterType
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:15:45:36
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetCompressionLevel
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:15:45:36
Start date:24/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\AIDE.dll",AIDEPngEncodeOptionsSetAttemptPaletteCreation
Imagebase:0xe30000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

No disassembly