Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LxD223vmwH.dll

Overview

General Information

Sample name:LxD223vmwH.dll
renamed because original name is a hash value
Original sample name:af83420a29ba960636e006fdbbf50ac2640ea292b2496c330394b042d6f758fa.dll
Analysis ID:1544817
MD5:c41fea0e4041480fdfccacd4c1a79caf
SHA1:979cf5bb3e1dfe55f5df178ddebfacf865e649a7
SHA256:af83420a29ba960636e006fdbbf50ac2640ea292b2496c330394b042d6f758fa
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7404 cmdline: loaddll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7456 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7480 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7464 cmdline: rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7776 cmdline: rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7848 cmdline: rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7940 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7948 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7956 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7968 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetFocus MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7976 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetDirty MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeResize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8016 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkePaint2 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8024 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeKillFocus MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8040 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeIsDirty MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8048 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeInitialize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8060 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeGetCaretRect MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8084 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseWheelEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8092 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8100 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyUpEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8108 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyPressEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8116 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyDownEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8128 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireContextMenuEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8140 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFinalize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8148 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeDestroyWebView MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8156 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeCreateWebView MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8164 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 3740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8172 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8180 cmdline: rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: LxD223vmwH.dllReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.9% probability
Source: LxD223vmwH.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: LxD223vmwH.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000003.00000002.3780598192.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3777314625.00000000040C6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1691288164.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3780619244.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3777318028.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000021.00000002.1674441814.000000006D2C6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal
Source: rundll32.exe, 00000003.00000002.3777314625.0000000004134000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3777318028.0000000004744000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensaly.

System Summary

barindex
PE file contains section with special chars
Source: LxD223vmwH.dllStatic PE information: section name: .z=n
Source: LxD223vmwH.dllStatic PE information: section name: .KP#
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 780
Source: LxD223vmwH.dllStatic PE information: Number of sections : 13 > 10
Source: LxD223vmwH.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal60.evad.winDLL@60/9@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7480
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\67100889-da80-45ba-94e9-def97aa5f720Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarCreate
Source: LxD223vmwH.dllReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 780
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetFocus
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetDirty
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeResize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkePaint2
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeKillFocus
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeIsDirty
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeInitialize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeGetCaretRect
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseWheelEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyUpEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyPressEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyDownEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireContextMenuEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFinalize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeDestroyWebView
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeCreateWebView
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarRecognize
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 772
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetFocusJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetDirtyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeResizeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkePaint2Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeKillFocusJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeIsDirtyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeInitializeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeGetCaretRectJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseWheelEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyUpEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyPressEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyDownEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireContextMenuEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFinalizeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeDestroyWebViewJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeCreateWebViewJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: LxD223vmwH.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: LxD223vmwH.dllStatic file information: File size 11373568 > 1048576
Source: LxD223vmwH.dllStatic PE information: Raw size of .KP# is bigger than: 0x100000 < 0xad5a00
Source: LxD223vmwH.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .KP#
Source: LxD223vmwH.dllStatic PE information: section name: .didata
Source: LxD223vmwH.dllStatic PE information: section name: .V/Z
Source: LxD223vmwH.dllStatic PE information: section name: .z=n
Source: LxD223vmwH.dllStatic PE information: section name: .KP#
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D1D04C4
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D2A2627
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C842065
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CA506CC
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C924F79
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C9945CE
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D269BC5
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CEF29A1
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6CF09079
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C97E374
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C9648D4
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: VMware
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: vmci.sys
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: VMware20,1
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping121
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544817 Sample: LxD223vmwH.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 60 25 Multi AV Scanner detection for submitted file 2->25 27 PE file contains section with special chars 2->27 29 AI detected suspicious sample 2->29 8 loaddll32.exe 1 2->8         started        process3 signatures4 31 Switches to a custom stack to bypass stack traces 8->31 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        15 rundll32.exe 8->15         started        17 25 other processes 8->17 process5 process6 19 rundll32.exe 11->19         started        21 WerFault.exe 13->21         started        process7 23 WerFault.exe 22 16 19->23         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LxD223vmwH.dll42%ReversingLabsWin32.Downloader.Conjar

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.9.drfalse
  • URL Reputation: safe
unknown
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensaly.rundll32.exe, 00000003.00000002.3777314625.0000000004134000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3777318028.0000000004744000.00000004.00001000.00020000.00000000.sdmpfalse
    		unknown
    https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensalrundll32.exe, 00000003.00000002.3780598192.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3777314625.00000000040C6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1691288164.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3780619244.000000006D2C6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.3777318028.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000021.00000002.1674441814.000000006D2C6000.00000002.00000001.01000000.00000003.sdmpfalse
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1544817
      Start date and time:2024-10-29 19:28:55 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 10m 41s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:43
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:LxD223vmwH.dll
      renamed because original name is a hash value
      Original Sample Name:af83420a29ba960636e006fdbbf50ac2640ea292b2496c330394b042d6f758fa.dll
      Detection:MAL
      Classification:mal60.evad.winDLL@60/9@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .dll
      • Override analysis time to 240s for rundll32

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 13.89.179.12
      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • VT rate limit hit for: LxD223vmwH.dll

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:30:06API Interceptor1x Sleep call for process: loaddll32.exe modified
      14:30:30API Interceptor2x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cf2619483a25d35cc84b8f5c1e4b909d573749_7522e4b5_e8659227-7ec6-44fa-9437-2c03879aded7\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9384880065366336
      Encrypted:false
      SSDEEP:192:JgiXOsD30BU/wjeTaEpzuiFUZ24IO84ci:ai+sDEBU/wjeJzuiFUY4IO84ci
      MD5:31E0C471C12E9EEEF9EBF7AFFE416CB3
      SHA1:ABE94714A54C9DADBC33410297FC05476029A79F
      SHA-256:C8826669758784CC2FF1AA35D6E3DF11975A80DAA0526FF725597810E9479563
      SHA-512:63FECE6E6806D7041B71EBD990871622BA8C5F8E7C846C63FD72D1C6E8EA7E04A4F5CC2CD841B67CAD32B1437FE7224B3DF74F8C6C573950513A7F7D25FDF5EE
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.7.0.0.2.2.1.0.1.5.9.8.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.7.0.0.2.2.2.3.2.8.4.9.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.6.5.9.2.2.7.-.7.e.c.6.-.4.4.f.a.-.9.4.3.7.-.2.c.0.3.8.7.9.a.d.e.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.b.7.2.7.8.7.-.5.3.e.a.-.4.9.d.d.-.8.b.d.6.-.d.3.1.3.e.c.1.7.e.9.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.4.-.0.0.0.1.-.0.0.1.4.-.c.d.1.0.-.0.6.9.4.3.0.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_cf2619483a25d35cc84b8f5c1e4b909d573749_7522e4b5_fbdcade7-0c01-448b-9016-ca95a78fdb2f\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9387166971859827
      Encrypted:false
      SSDEEP:192:33iUOzD30BU/wjeTaEpzuiFUZ24IO84ci:nilzDEBU/wjeJzuiFUY4IO84ci
      MD5:3582A2B6B38AE706F7ED104A0FE33300
      SHA1:D8B3891D182E14A38F34BAFAF051444B5CA4E276
      SHA-256:DBA8AB67D14AAAE9EF91727E7898D324820B336DCE1C77A4F6809C34F8DDCD52
      SHA-512:DE0A6D0976E721EAE5CBD79F8A525921F80F5218CE3303CA152E4C811FF08AE0C00AB7BAE50E3DC92EA4E5E5092CF78D165130EC0293936EE0CFECFFC2479322
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.7.0.0.1.9.7.3.1.9.6.0.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.7.0.0.1.9.7.8.6.6.4.9.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.d.c.a.d.e.7.-.0.c.0.1.-.4.4.8.b.-.9.0.1.6.-.c.a.9.5.a.7.8.f.d.b.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.e.1.5.3.d.3.-.f.3.1.3.-.4.5.1.a.-.9.a.d.2.-.4.8.0.9.6.2.0.b.f.b.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.3.8.-.0.0.0.1.-.0.0.1.4.-.8.8.2.0.-.f.a.8.c.3.0.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A47.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Oct 29 18:29:57 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):45674
      Entropy (8bit):1.9785191421262092
      Encrypted:false
      SSDEEP:192:QhDGfW/kgduOpZlO5H43ZDS4Uxr5/JWVIfaOrLOwTFBS:3fWruOvI5HeZuPxqVI1ewTPS
      MD5:FAF0F9602D9CF9DFC3B6B62B259BDCB2
      SHA1:74B3ED0CDD4F8216F96E0004F0A668B552478753
      SHA-256:0805C3A3BCB7B91F73F02531C4FACB5C21C7744C1CB9E5B94E12957F35F50818
      SHA-512:68809F092739D5F46113228AEDF562F7235E02574ED9002E3052CEEA96258D40973149761F368EAC9DC52F42E8EF9E5B6E49B5B0692B5B951EBB33F82A676BE4
      Malicious:false
      Preview:MDMP..a..... ........)!g........................l................-..........T.......8...........T...............j.......................................................................................................eJ..............GenuineIntel............T.......8....)!g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B33.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8344
      Entropy (8bit):3.692613381894641
      Encrypted:false
      SSDEEP:192:R6l7wVeJWI6D6YbO6zSgmf88yprx89bEesfdsm:R6lXJp6D6Yi6mgmf88JEdfD
      MD5:AC5AFD30952A31CA5754D250634C5F11
      SHA1:83DFDD4E084EF7A6E782469FA7F4550173870682
      SHA-256:4E7FA6E5A4A642899195FD0737C78240140603AA33C6C55DB6E511C9F1E19DCB
      SHA-512:881B109B335320E04FF1C7D082563C95F16B9B98DD0D0913BAD11FE2D0B0DA34906F8499F2881A20F709CD51E530EB27CADEC28F4241183D4C23A9548C564247
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.8.0.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B63.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4751
      Entropy (8bit):4.450766352189402
      Encrypted:false
      SSDEEP:48:cvIwWl8zsjJg77aI9eJWpW8VYvYm8M4JCdPtAFPW+q8vjPtwQGScSgd:uIjf9I7c47VbJG2WKB1J3gd
      MD5:7D0592B69905FA54115DECE2314193B6
      SHA1:1DB9170EEE6A6DD718347B61A8DA5BF6312C3225
      SHA-256:D2F82274EB2F122399A470822EAFEE0A06D905BE7C734615B20E6351E555D7F9
      SHA-512:074970625006BEAAC5EFD838DFA28C20CCBA3BE8433F4F6002589DC8905CE9E2F810ED86A47AD3028015732B2C974BC5E6BDC57081E58FB44FBE7F33121DF013
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565052" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER86B0.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Oct 29 18:30:21 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):45954
      Entropy (8bit):1.9694963542803674
      Encrypted:false
      SSDEEP:192:IQmDGfUkgdu0V0tM/uO5H43ZAJ+AuSXk1Ja8/fHyWk:Zfou1MB5HeZ/ANk1JN
      MD5:81A5C8028D9E34060B7DF2D1DF44EC0F
      SHA1:02112AE7950E1522A21E9C9E4894BD4DC9AE4D0F
      SHA-256:45A4675DC1467862732497BF1E88A4C3715BAFD87B08D9D5E7E0577009B2F44D
      SHA-512:1F07F886F63CBC0EE701634DAF36E100902B3EC240A649672EAA251246CA3501762EFD62AAD7288D5FF655280A096A1BB65D329F79D550F94F0D42D84F6C6C5F
      Malicious:false
      Preview:MDMP..a..... ........)!g........................l................-..........T.......8...........T......................................................................................................................eJ..............GenuineIntel............T............)!g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER879B.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8360
      Entropy (8bit):3.6912830700660404
      Encrypted:false
      SSDEEP:192:R6l7wVeJuF6S+C6YJTt6A3ogmf88yprG89bFzsfV3m:R6lXJk6S+C6Y36A3ogmf88IFYfo
      MD5:B839576357AB0B0A9599EEC84A4EBC9A
      SHA1:B87EBD6FA406A0B94A57345F96969D777A08040E
      SHA-256:AC82F0A9C0244BD50640A3881E2A60B23CFB7C1F0B83798558BE70AB0C2E614E
      SHA-512:EF7F8B1D7B84ABF1B140C9D92AC613500332693089729544CA57885F1D390E814888327210F99119CE42B7F591DF73BB6F60FFC12A263DB4FD1173F1C2411715
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER87CB.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4751
      Entropy (8bit):4.450682513723229
      Encrypted:false
      SSDEEP:48:cvIwWl8zs0Jg77aI9eJWpW8VY2Ym8M4JCdPtAFXFZ+q8vjPtD+GScSZd:uIjfyI7c47VqJGiFZKBD+J3Zd
      MD5:BF35C1F203C978CD46CA21BA27390FDA
      SHA1:854872572526735BEFB3BAAB5C4DA7B08F9D5792
      SHA-256:6DAC03613A7565263CE0D1C25D54AE93065A2ADD71CF96016D38C2C11C27B33F
      SHA-512:B4165B3F9D35E0FFAFC2C1C419094290C3CB6B966C7DCD797219D91BC0B717DA4E59B93FF6DA95D032BAD05C92214B49A4C46DB3CA6911BA1AF7924523E90399
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.417462263908973
      Encrypted:false
      SSDEEP:6144:kcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Ji58oSWIZBk2MM6AFBWo
      MD5:26B900407561B796E26CB244BF8CAD8F
      SHA1:9505F7DF9AD95F7D96C6F8BEDCD8A42441FF4AD2
      SHA-256:F75D274ED0DD0462585238A42EA99C108C776182DE54571969CBA6F54F5A1D45
      SHA-512:AD95FB2D9A88E8C94942BAE8D810FDA2DD908413F9258E1E0D853F88A368ACF30C72F6BBDCD75C2122504A033BD9232AE2D7BCCB998EBE5FE70E56EF0CE0CFB0
      Malicious:false
      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR.J.0*...............................................................................................................................................................................................................................................................................................................................................q].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.907613798645669
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:LxD223vmwH.dll
      File size:11'373'568 bytes
      MD5:c41fea0e4041480fdfccacd4c1a79caf
      SHA1:979cf5bb3e1dfe55f5df178ddebfacf865e649a7
      SHA256:af83420a29ba960636e006fdbbf50ac2640ea292b2496c330394b042d6f758fa
      SHA512:b02183c48c428c1b8c7f79511fad2460ab596a9c6c63efe87325898d724b05bef5aef3cdc3d67c0f590a1ba3057cf4b3757287fc284cdcbb627a4ab3090cc6a4
      SSDEEP:196608:OgGerEWwcBMh09VpTZ6k0dcOu7ZIzzBnX1qNQyKK4pxz+8GXLtLqIOxuo0HPdHO:OkX9CuZwBnFqNQlK6xzwQIwu9
      TLSH:5EB623DB69CB40E5D9DA04B48B177BE623F252484597083ABEC076CA70F5FB0606ED87
      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L...[..f...........!.....zl..rC.....R.........l...@..........................p............@.............................{..

      File Icon

      Icon Hash:7ae282899bbab082

      Static PE Info

      General

      Entrypoint:0x10b0152
      Entrypoint Section:.KP#
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x66D1FC5B [Fri Aug 30 17:07:39 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:54245b78731fbedbfc2d99e33077d7e8

      Entrypoint Preview

      Instruction
      push ebx
      pushfd
      mov ebx, 2E15AF8Dh
      shl ebx, FFFFFFCDh
      jne 00007EFF04E70D9Bh
      xor al, 9Bh
      neg dx
      not edx
      xchg ecx, edx
      xor bl, al
      mov dword ptr [esp+ecx-3FFFFFFFh], 0009603Dh
      bswap edx
      not edx
      mov word ptr [ebp+edx-63520006h], ax
      lea edx, dword ptr [ecx+ecx*2+5EB71E8Ah]
      rol dword ptr [esp+edx-1EB71E87h], cl
      push edx
      lea edx, dword ptr [esp+edx*2-3D6E3CFEh]
      and byte ptr [esp+ecx*2-7FFFFFFBh], ch
      mov eax, dword ptr [edx+ecx*2-7FFFFFFEh]
      lea edx, dword ptr [5E011306h+ecx*4]
      mov dword ptr [edx+ebp-5E01130Ch], eax
      mov dword ptr [esp+edx-5E011301h], ecx
      mov eax, ecx
      movzx edx, byte ptr [edx+esi-5E011304h]
      xor dl, bl
      neg dl
      push eax
      xor ecx, eax
      jno 00007EFF04CD897Ch
      dec cl
      neg eax
      call 00007EFF04EDA95Ah
      inc ecx
      btc ebx, eax
      inc ecx
      pop ebp
      dec ecx
      add ebp, FF90DD3Bh
      inc ecx
      jmp ebp
      mov cl, byte ptr [ecx+ebp-0A271315h]
      sbb edx, dword ptr [esp+edx*2-144E2636h]
      neg edx
      shl eax, cl
      shl dl, 00000064h
      mov dword ptr [ebp+edx-000000ACh], eax
      mov edx, dword ptr [edi+edx*8-00000580h]
      xor edx, ebx
      not edx
      dec byte ptr [esp+00h]
      mov ecx, dword ptr [eax+eax+00h]

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0xb6fedc0x27b.KP#
      IMAGE_DIRECTORY_ENTRY_IMPORT0xe9bfd80x140.KP#
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x15e60000x36f090.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x19560000x670.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xb0f0000x94c.z=n
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x12374800x220.KP#
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x6c3a880x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .itext0x6c50000x3cf00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x6c90000x2156c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .bss0x6eb0000x1b4ac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x7070000x3c100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .didata0x70b0000x6bb20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .edata0x7120000x27b0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rdata0x7130000x450x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .V/Z0x7140000x3fa57e0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .z=n0xb0f0000x9640xa0049eb0e39447203eac8033083970baa3aFalse0.80703125data6.155540430719552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .KP#0xb100000xad58700xad5a00373070597459b15be8700e7abd475390unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0x15e60000x36f0900x1c00ac11a1c8f32f9710fa21edf2a9ac3447unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x19560000x6700x80028d3f30ae05de07179ec650308883faaFalse0.416015625data3.796551914268928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_CURSOR0x15e7afc0x134dataEnglishUnited States0.04230769230769231
      RT_CURSOR0x15e7c300x134emptyEnglishUnited States0
      RT_CURSOR0x15e7d640x134emptyEnglishUnited States0
      RT_CURSOR0x15e7e980x134emptyEnglishUnited States0
      RT_CURSOR0x15e7fcc0x134emptyEnglishUnited States0
      RT_CURSOR0x15e81000x134emptyEnglishUnited States0
      RT_CURSOR0x15e82340x134emptyEnglishUnited States0
      RT_CURSOR0x15e83680x134emptyEnglishUnited States0
      RT_CURSOR0x15e849c0x134emptyEnglishUnited States0
      RT_CURSOR0x15e85d00x134emptyEnglishUnited States0
      RT_CURSOR0x15e87040x134emptyEnglishUnited States0
      RT_STRING0x15e88380x33cempty0
      RT_STRING0x15e8b740x4e8empty0
      RT_STRING0x15e905c0x7dcempty0
      RT_STRING0x15e98380x7a0empty0
      RT_STRING0x15e9fd80x654empty0
      RT_STRING0x15ea62c0x6f0empty0
      RT_STRING0x15ead1c0x4f8empty0
      RT_STRING0x15eb2140x5c4empty0
      RT_STRING0x15eb7d80x650empty0
      RT_STRING0x15ebe280x768empty0
      RT_STRING0x15ec5900x570empty0
      RT_STRING0x15ecb000xcf0empty0
      RT_STRING0x15ed7f00x5a0empty0
      RT_STRING0x15edd900x6bcempty0
      RT_STRING0x15ee44c0x820empty0
      RT_STRING0x15eec6c0x5ccempty0
      RT_STRING0x15ef2380x520empty0
      RT_STRING0x15ef7580x5a8empty0
      RT_STRING0x15efd000x4c0empty0
      RT_STRING0x15f01c00x420empty0
      RT_STRING0x15f05e00x84cempty0
      RT_STRING0x15f0e2c0x2e0empty0
      RT_STRING0x15f110c0x5b4empty0
      RT_STRING0x15f16c00x4a0empty0
      RT_STRING0x15f1b600x2c8empty0
      RT_STRING0x15f1e280x124empty0
      RT_STRING0x15f1f4c0x284empty0
      RT_STRING0x15f21d00x5c8empty0
      RT_STRING0x15f27980x468empty0
      RT_STRING0x15f2c000x57cempty0
      RT_STRING0x15f317c0x520empty0
      RT_STRING0x15f369c0x2c0empty0
      RT_STRING0x15f395c0x42cempty0
      RT_STRING0x15f3d880xa0empty0
      RT_STRING0x15f3e280xe4empty0
      RT_STRING0x15f3f0c0x114empty0
      RT_STRING0x15f40200x3e4empty0
      RT_STRING0x15f44040x3f0empty0
      RT_STRING0x15f47f40x3a4empty0
      RT_STRING0x15f4b980x554empty0
      RT_STRING0x15f50ec0x39cempty0
      RT_STRING0x15f54880x21cempty0
      RT_STRING0x15f56a40x498empty0
      RT_STRING0x15f5b3c0x45cempty0
      RT_STRING0x15f5f980x680empty0
      RT_STRING0x15f66180x46cempty0
      RT_STRING0x15f6a840x318empty0
      RT_STRING0x15f6d9c0x35cempty0
      RT_STRING0x15f70f80x404empty0
      RT_STRING0x15f74fc0x358empty0
      RT_STRING0x15f78540xd4empty0
      RT_STRING0x15f79280xa4empty0
      RT_STRING0x15f79cc0x2dcempty0
      RT_STRING0x15f7ca80x458empty0
      RT_STRING0x15f81000x31cempty0
      RT_STRING0x15f841c0x2e8empty0
      RT_STRING0x15f87040x34cempty0
      RT_RCDATA0x15f8a500xd5demptyEnglishUnited States0
      RT_RCDATA0x15f97b00xd57emptyEnglishUnited States0
      RT_RCDATA0x15fa5080xcfcemptyEnglishUnited States0
      RT_RCDATA0x15fb2040xcd9emptyEnglishUnited States0
      RT_RCDATA0x15fbee00xd5demptyEnglishUnited States0
      RT_RCDATA0x15fcc400xd57emptyEnglishUnited States0
      RT_RCDATA0x15fd9980xc4eemptyEnglishUnited States0
      RT_RCDATA0x15fe5e80xc4eemptyEnglishUnited States0
      RT_RCDATA0x15ff2380xcb5emptyEnglishUnited States0
      RT_RCDATA0x15ffef00xcb0emptyEnglishUnited States0
      RT_RCDATA0x1600ba00xd56emptyEnglishUnited States0
      RT_RCDATA0x16018f80xd47emptyEnglishUnited States0
      RT_RCDATA0x16026400xdc2emptyEnglishUnited States0
      RT_RCDATA0x16034040xdc5emptyEnglishUnited States0
      RT_RCDATA0x16041cc0xcf3emptyEnglishUnited States0
      RT_RCDATA0x1604ec00xcedemptyEnglishUnited States0
      RT_RCDATA0x1605bb00xda9emptyEnglishUnited States0
      RT_RCDATA0x160695c0xda6emptyEnglishUnited States0
      RT_RCDATA0x16077040xcf3emptyEnglishUnited States0
      RT_RCDATA0x16083f80xcedemptyEnglishUnited States0
      RT_RCDATA0x16090e80x627eemptyEnglishUnited States0
      RT_RCDATA0x160f3680x10empty0
      RT_RCDATA0x160f3780x148bemptyEnglishUnited States0
      RT_RCDATA0x16108040x111eemptyEnglishUnited States0
      RT_RCDATA0x16119240xd8cemptyEnglishUnited States0
      RT_RCDATA0x16126b00x1460empty0
      RT_RCDATA0x1613b100x4emptyEnglishUnited States0
      RT_RCDATA0x1613b140xdf8empty0
      RT_RCDATA0x161490c0xcbbempty0
      RT_RCDATA0x16155c80x1ceempty0
      RT_RCDATA0x16157980xd7cdaemptyEnglishUnited States0
      RT_RCDATA0x16ed4740xdbf48emptyEnglishUnited States0
      RT_RCDATA0x17c93bc0xb6332emptyEnglishUnited States0
      RT_RCDATA0x187f6f00xd58c1emptyEnglishUnited States0
      RT_GROUP_CURSOR0x1954fb40x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x1954fc80x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x1954fdc0x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x1954ff00x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x19550040x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x19550180x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x195502c0x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x19550400x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x19550540x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x19550680x14emptyEnglishUnited States0
      RT_GROUP_CURSOR0x195507c0x14emptyEnglishUnited States0
      RT_VERSION0x15e79080x1f4dataEnglishUnited States0.488

      Imports

      DLLImport
      winmm.dlltimeGetTime
      d3d9.dllDirect3DCreate9
      winspool.drvDocumentPropertiesW, ClosePrinter, DeviceCapabilitiesW, OpenPrinterW, GetPrinterW, SetPrinterW, GetDefaultPrinterW, EnumPrintersW
      comdlg32.dllPageSetupDlgW, GetSaveFileNameW, GetOpenFileNameW, PrintDlgW
      comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
      shell32.dllDragQueryFileW, Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW
      user32.dllCopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, GetUpdateRgn, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, IsMenu, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetAsyncKeyState, GetWindowTextLengthW, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetMessageTime, SendMessageTimeoutW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, MessageBoxIndirectW, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, TrackMouseEvent, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, AppendMenuW, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, UpdateLayeredWindow, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, WINNLSEnableIME, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
      version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
      oleaut32.dllSafeArrayPutElement, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType
      WTSAPI32.DLLWTSUnRegisterSessionNotification, WTSRegisterSessionNotification
      advapi32.dllRegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegEnumKeyW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
      msvcrt.dllisupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
      kernel32.dllSetFileAttributesW, SetFileTime, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, TlsAlloc, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetLongPathNameW, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetUserDefaultLCID, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, ExpandEnvironmentStringsW, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, TlsFree, UnmapViewOfFile, lstrlenW, CompareStringA, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, CreateMutexA, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, SystemTimeToFileTime, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, GetOEMCP, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, TzSpecificLocalTimeToSystemTime, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
      ole32.dllRevokeDragDrop, CoCreateInstance, CoUninitialize, ReleaseStgMedium, RegisterDragDrop, IsEqualGUID, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, OleRegEnumFormatEtc, CoGetClassObject, CoInitialize, CoTaskMemFree, OleDraw, CoTaskMemAlloc, DoDragDrop
      gdi32.dllPie, SetBkMode, CreateCompatibleBitmap, BeginPath, GetEnhMetaFileHeader, RectVisible, AngleArc, SetAbortProc, SetTextColor, StretchBlt, GetCharABCWidthsFloatW, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetRegionData, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, TextOutW, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPath, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateFontW, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, CombineRgn, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, ExtCreateRegion, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetObjectA, GetBrushOrgEx, GetCurrentPositionEx, SetTextAlign, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPath, GetPaletteEntries

      Exports

      NameOrdinalAddress
      BarCreate30xab6c74
      BarDestroy40xab6c70
      BarFreeRec50xab6c6c
      BarRecognize60xab6c68
      __dbk_fcall_wrapper20x411db4
      dbkFCallWrapperAddr10xaee648
      wkeCreateWebView120xab6c50
      wkeDestroyWebView70xab6c64
      wkeFinalize80xab6c60
      wkeFireContextMenuEvent150xab6c44
      wkeFireKeyDownEvent110xab6c54
      wkeFireKeyPressEvent130xab6c4c
      wkeFireKeyUpEvent220xab6c28
      wkeFireMouseEvent140xab6c48
      wkeFireMouseWheelEvent160xab6c40
      wkeGetCaretRect190xab6c34
      wkeInitialize210xab6c2c
      wkeIsDirty200xab6c30
      wkeKillFocus180xab6c38
      wkePaint2230xab6c24
      wkeResize100xab6c58
      wkeSetDirty90xab6c5c
      wkeSetFocus170xab6c3c

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:29:54
      Start date:29/10/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll"
      Imagebase:0xfe0000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:1
      Start time:14:29:54
      Start date:29/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff75da10000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:14:29:54
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1
      Imagebase:0x410000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:3
      Start time:14:29:54
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarCreate
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:14:29:54
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",#1
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:14:29:57
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 780
      Imagebase:0xa20000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:14:29:57
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarDestroy
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:12
      Start time:14:30:01
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\LxD223vmwH.dll,BarFreeRec
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:13
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarCreate
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:false

      General

      Target ID:14
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarDestroy
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:15
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarFreeRec
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:16
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetFocus
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:17
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeSetDirty
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:18
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeResize
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:19
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkePaint2
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:20
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeKillFocus
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:21
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeIsDirty
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:22
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeInitialize
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:23
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeGetCaretRect
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:24
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseWheelEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:25
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireMouseEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:26
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyUpEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:27
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyPressEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:28
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireKeyDownEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:29
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFireContextMenuEvent
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:30
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeFinalize
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:31
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeDestroyWebView
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:32
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",wkeCreateWebView
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:33
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",dbkFCallWrapperAddr
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:34
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",__dbk_fcall_wrapper
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:35
      Start time:14:30:06
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\LxD223vmwH.dll",BarRecognize
      Imagebase:0x9b0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:39
      Start time:14:30:20
      Start date:29/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 772
      Imagebase:0xa20000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      No disassembly