Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll

Source: C:\Windows\System32\loaddll32.exe

Process token adjusted: Security

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1006D2AF appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1007D4F0 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1006DCA4 appears 94 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 808

Source: 6e9feb.tmp.2.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9c29.tmp.2.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9da3.tmp.2.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9ecf.tmp.2.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e92c9.tmp.6.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e8fb6.tmp.6.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e913f.tmp.6.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9491.tmp.6.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e924c.tmp.7.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e93e5.tmp.7.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e8fa6.tmp.7.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e90f1.tmp.7.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea10b.tmp.14.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea1f8.tmp.14.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea2d6.tmp.14.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea402.tmp.14.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: 6e8fa6.tmp.7.dr	Static PE information: No import functions for PE file found
Source: 6e93e5.tmp.7.dr	Static PE information: No import functions for PE file found
Source: 6e90f1.tmp.7.dr	Static PE information: No import functions for PE file found
Source: 6ea2d6.tmp.14.dr	Static PE information: No import functions for PE file found
Source: 6e92c9.tmp.6.dr	Static PE information: No import functions for PE file found
Source: 6e9c29.tmp.2.dr	Static PE information: No import functions for PE file found
Source: 6e924c.tmp.7.dr	Static PE information: No import functions for PE file found
Source: 6e8fb6.tmp.6.dr	Static PE information: No import functions for PE file found
Source: 6e9da3.tmp.2.dr	Static PE information: No import functions for PE file found
Source: 6ea1f8.tmp.14.dr	Static PE information: No import functions for PE file found
Source: 6e9ecf.tmp.2.dr	Static PE information: No import functions for PE file found
Source: 6ea402.tmp.14.dr	Static PE information: No import functions for PE file found
Source: 6e9feb.tmp.2.dr	Static PE information: No import functions for PE file found
Source: 6ea10b.tmp.14.dr	Static PE information: No import functions for PE file found
Source: 6e9491.tmp.6.dr	Static PE information: No import functions for PE file found
Source: 6e913f.tmp.6.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 6e9ecf.tmp.2.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal64.evad.winDLL@13/61@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_100213B0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,MulDiv,

6_2_100213B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1007F644 FindResourceA,LoadResource,LockResource,

6_2_1007F644

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5544
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5884

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Users\user\AppData\Local\Temp\6e9c29.tmp

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL

Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll

Virustotal: Detection: 48%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 808
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 800
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll", DLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 872
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll", DLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Window found: window name: SysTabControl32

Renames NTDLL to bypass HIPS

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe	Window detected: Number of UI elements: 20
Source: C:\Windows\SysWOW64\rundll32.exe	Window detected: Number of UI elements: 20

Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll

Static file information: File size 1313056 > 1048576

Source:	Binary string: wgdi32.pdbUGP source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source:	Binary string: wntdll.pdbUGP source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source:	Binary string: wntdll.pdb source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source:	Binary string: wuser32.pdb source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr
Source:	Binary string: wgdi32.pdb source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source:	Binary string: wuser32.pdbUGP source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1007F961 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

6_2_1007F961

Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	Static PE information: section name: .vmp0
Source: 6e9feb.tmp.2.dr	Static PE information: section name: RT
Source: 6e9feb.tmp.2.dr	Static PE information: section name: .mrdata
Source: 6e9feb.tmp.2.dr	Static PE information: section name: .00cfg
Source: 6ea04a.tmp.2.dr	Static PE information: section name: .didat
Source: 6ea089.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9c29.tmp.2.dr	Static PE information: section name: RT
Source: 6e9c29.tmp.2.dr	Static PE information: section name: .mrdata
Source: 6e9c29.tmp.2.dr	Static PE information: section name: .00cfg
Source: 6e9cf5.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9d64.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9da3.tmp.2.dr	Static PE information: section name: RT
Source: 6e9da3.tmp.2.dr	Static PE information: section name: .mrdata
Source: 6e9da3.tmp.2.dr	Static PE information: section name: .00cfg
Source: 6e9e02.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9e80.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9ecf.tmp.2.dr	Static PE information: section name: RT
Source: 6e9ecf.tmp.2.dr	Static PE information: section name: .mrdata
Source: 6e9ecf.tmp.2.dr	Static PE information: section name: .00cfg
Source: 6e9f5d.tmp.2.dr	Static PE information: section name: .didat
Source: 6e9fbb.tmp.2.dr	Static PE information: section name: .didat
Source: 6e91bd.tmp.6.dr	Static PE information: section name: .didat
Source: 6e927a.tmp.6.dr	Static PE information: section name: .didat
Source: 6e92c9.tmp.6.dr	Static PE information: section name: RT
Source: 6e92c9.tmp.6.dr	Static PE information: section name: .mrdata
Source: 6e92c9.tmp.6.dr	Static PE information: section name: .00cfg
Source: 6e9385.tmp.6.dr	Static PE information: section name: .didat
Source: 6e93e4.tmp.6.dr	Static PE information: section name: .didat
Source: 6e8fb6.tmp.6.dr	Static PE information: section name: RT
Source: 6e8fb6.tmp.6.dr	Static PE information: section name: .mrdata
Source: 6e8fb6.tmp.6.dr	Static PE information: section name: .00cfg
Source: 6e9024.tmp.6.dr	Static PE information: section name: .didat
Source: 6e90f0.tmp.6.dr	Static PE information: section name: .didat
Source: 6e913f.tmp.6.dr	Static PE information: section name: RT
Source: 6e913f.tmp.6.dr	Static PE information: section name: .mrdata
Source: 6e913f.tmp.6.dr	Static PE information: section name: .00cfg
Source: 6e9491.tmp.6.dr	Static PE information: section name: RT
Source: 6e9491.tmp.6.dr	Static PE information: section name: .mrdata
Source: 6e9491.tmp.6.dr	Static PE information: section name: .00cfg
Source: 6e95ab.tmp.6.dr	Static PE information: section name: .didat
Source: 6e960a.tmp.6.dr	Static PE information: section name: .didat
Source: 6e91ce.tmp.7.dr	Static PE information: section name: .didat
Source: 6e924c.tmp.7.dr	Static PE information: section name: RT
Source: 6e924c.tmp.7.dr	Static PE information: section name: .mrdata
Source: 6e924c.tmp.7.dr	Static PE information: section name: .00cfg
Source: 6e92ab.tmp.7.dr	Static PE information: section name: .didat
Source: 6e9386.tmp.7.dr	Static PE information: section name: .didat
Source: 6e93e5.tmp.7.dr	Static PE information: section name: RT
Source: 6e93e5.tmp.7.dr	Static PE information: section name: .mrdata
Source: 6e93e5.tmp.7.dr	Static PE information: section name: .00cfg
Source: 6e8fa6.tmp.7.dr	Static PE information: section name: RT
Source: 6e8fa6.tmp.7.dr	Static PE information: section name: .mrdata
Source: 6e8fa6.tmp.7.dr	Static PE information: section name: .00cfg
Source: 6e9014.tmp.7.dr	Static PE information: section name: .didat
Source: 6e90c1.tmp.7.dr	Static PE information: section name: .didat
Source: 6e90f1.tmp.7.dr	Static PE information: section name: RT
Source: 6e90f1.tmp.7.dr	Static PE information: section name: .mrdata
Source: 6e90f1.tmp.7.dr	Static PE information: section name: .00cfg
Source: 6e916f.tmp.7.dr	Static PE information: section name: .didat
Source: 6e9444.tmp.7.dr	Static PE information: section name: .didat
Source: 6e94d1.tmp.7.dr	Static PE information: section name: .didat
Source: 6ea10b.tmp.14.dr	Static PE information: section name: RT
Source: 6ea10b.tmp.14.dr	Static PE information: section name: .mrdata
Source: 6ea10b.tmp.14.dr	Static PE information: section name: .00cfg
Source: 6ea15a.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea19a.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea1f8.tmp.14.dr	Static PE information: section name: RT
Source: 6ea1f8.tmp.14.dr	Static PE information: section name: .mrdata
Source: 6ea1f8.tmp.14.dr	Static PE information: section name: .00cfg
Source: 6ea267.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea2a6.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea2d6.tmp.14.dr	Static PE information: section name: RT
Source: 6ea2d6.tmp.14.dr	Static PE information: section name: .mrdata
Source: 6ea2d6.tmp.14.dr	Static PE information: section name: .00cfg
Source: 6ea335.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea3c3.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea402.tmp.14.dr	Static PE information: section name: RT
Source: 6ea402.tmp.14.dr	Static PE information: section name: .mrdata
Source: 6ea402.tmp.14.dr	Static PE information: section name: .00cfg
Source: 6ea451.tmp.14.dr	Static PE information: section name: .didat
Source: 6ea4ee.tmp.14.dr	Static PE information: section name: .didat

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3172 push edx; mov dword ptr [esp], ebp	6_2_100D3173
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3172 push edi; mov dword ptr [esp], ecx	6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D31F2 push dword ptr [esp+34h]; retn 0038h	6_2_100D3218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3203 push dword ptr [esp+34h]; retn 0038h	6_2_100D3218
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D541A pushad ; retf	6_2_100D541E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D544C pushfd ; mov dword ptr [esp], 1D1AA032h	6_2_100D5450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D345A push edi; mov dword ptr [esp], ebx	6_2_100D3A97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D547B pushfd ; mov dword ptr [esp], 1D1AA032h	6_2_100D5450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3484 pushfd ; mov dword ptr [esp], ebp	6_2_100D348E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D353A push BF49E822h; mov dword ptr [esp], esp	6_2_100D43F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D35BC pushfd ; mov dword ptr [esp], EAB2D7E3h	6_2_100D35CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D35C8 pushfd ; mov dword ptr [esp], EAB2D7E3h	6_2_100D35CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3936 push edi; mov dword ptr [esp], ecx	6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D397B push dword ptr [esp+58h]; retn 005Ch	6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D39B2 push dword ptr [esp+58h]; retn 005Ch	6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D39E0 push dword ptr [esp+58h]; retn 005Ch	6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3A96 push edi; mov dword ptr [esp], ebx	6_2_100D3A97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3B01 pushfd ; mov dword ptr [esp], esi	6_2_100D3F8B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1006DCA4 push eax; ret	6_2_1006DCC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3E35 push 5D07112Fh; mov dword ptr [esp], 17937626h	6_2_100D47F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D3E43 pushfd ; mov dword ptr [esp], ebp	6_2_100D3E49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D403F push dword ptr [esp+58h]; retn 005Ch	6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D4134 push DF8CE067h; mov dword ptr [esp], A81949E5h	6_2_100D4139
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D4234 push edi; mov dword ptr [esp], ecx	6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D45CD push dword ptr [esp+34h]; retn 0038h	6_2_100D460E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D461D push edx; mov dword ptr [esp], 93984BB2h	6_2_100D4623
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100D4611 push edx; mov dword ptr [esp], 93984BB2h	6_2_100D4623
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1006CC90 push eax; ret	6_2_1006CCBE

Source: 6e9feb.tmp.2.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9c29.tmp.2.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9da3.tmp.2.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9ecf.tmp.2.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e92c9.tmp.6.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e8fb6.tmp.6.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e913f.tmp.6.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9491.tmp.6.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e924c.tmp.7.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e93e5.tmp.7.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e8fa6.tmp.7.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e90f1.tmp.7.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea10b.tmp.14.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea1f8.tmp.14.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea2d6.tmp.14.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea402.tmp.14.dr	Static PE information: section name: .text entropy: 6.844715065913507

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9444.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e90f0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e90f1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea4ee.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9fbb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea2a6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e91bd.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9c29.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e913f.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e92ab.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e93e4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e92c9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea267.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e924c.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea402.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e93e5.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea04a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea10b.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea15a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e94d1.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea089.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9d64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9385.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9024.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea2d6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e960a.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9da3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e90c1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9491.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea451.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9e80.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e927a.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9feb.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9e02.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e8fb6.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9ecf.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea335.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e95ab.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9cf5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9014.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e916f.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea1f8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea19a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6ea3c3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e91ce.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9f5d.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e9386.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\6e8fa6.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1006B23D IsIconic,GetWindowPlacement,GetWindowRect,	6_2_1006B23D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10037A70 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	6_2_10037A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003BCF0 IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsWindow,ShowWindow,	6_2_1003BCF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10038140 IsIconic,IsZoomed,	6_2_10038140
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100328B0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	6_2_100328B0

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9444.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90f0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90f1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea4ee.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9fbb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea2a6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e91bd.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9c29.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e913f.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e92ab.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e93e4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e92c9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea267.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e924c.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea402.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e93e5.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea04a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea10b.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea15a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e94d1.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea089.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9d64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9385.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea2d6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9024.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e960a.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9da3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90c1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea451.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9491.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9e80.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e927a.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9e02.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9feb.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e8fb6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea335.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9ecf.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e95ab.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9cf5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9014.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e916f.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea1f8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea19a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea3c3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e91ce.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9f5d.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9386.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e8fa6.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003C600 FindFirstFileA,FindClose,	6_2_1003C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002A220 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	6_2_1002A220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10034440 FindNextFileA,FindClose,FindFirstFileA,FindClose,	6_2_10034440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1007C5DB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	6_2_1007C5DB

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1007F961 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

6_2_1007F961

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100179C0 mov esi, dword ptr fs:[00000030h]		6_2_100179C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E6BF mov ecx, dword ptr fs:[00000030h]		6_2_1001E6BF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10021CF0 GetProcessHeap,RtlAllocateHeap,

6_2_10021CF0

Source: C:\Windows\System32\loaddll32.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001797C RtlAddVectoredExceptionHandler,	6_2_1001797C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100767B5 SetUnhandledExceptionFilter,	6_2_100767B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100767C7 SetUnhandledExceptionFilter,	6_2_100767C7

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1

Source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr	Binary or memory string: GetProgmanWindow
Source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr	Binary or memory string: SetProgmanWindow

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1006E20A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

6_2_1006E20A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1006E20A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

6_2_1006E20A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1008636B GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

6_2_1008636B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	12 Process Injection	1 Virtualization/Sandbox Evasion	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 LSASS Driver	12 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	4 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	49%	Virustotal		Browse
SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\6e8fa6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e8fa6.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e8fb6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e8fb6.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9014.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9014.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9024.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9024.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e90c1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e90c1.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e90f0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e90f0.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e90f1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e90f1.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e913f.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e913f.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e916f.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e916f.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e91bd.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e91bd.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e91ce.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e91ce.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e924c.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e924c.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e927a.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e927a.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e92ab.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e92ab.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e92c9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e92c9.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9385.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9385.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9386.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9386.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e93e4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e93e4.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e93e5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e93e5.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9444.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9444.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e9491.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e9491.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\6e94d1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\6e94d1.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
http://68862320bb.d131.tqxq.com/kdc/dqgg.txt	0%	Avira URL Cloud	safe
http://www.99tianji.com/w55	0%	Avira URL Cloud	safe
http://68862320bb.d131.tqxq.com/kdc/banben.txt2.5	0%	Avira URL Cloud	safe
http://68862320bb.d131.tqxq.com/kdc/banben.txt2.5	0%	Virustotal		Browse
http://68862320bb.d131.tqxq.com/kdc/dqgg.txt	2%	Virustotal		Browse
http://www.99tianji.com/w55	6%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://s.taobao.com/search?initiative_id=staobaoz_20131120&jc=1&q=%C2%E5%C6%E6%D3%A2%D0%DB%B4%AB%D0%	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://www.eyuyan.com)DVarFileInfo$	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false	Avira URL Cloud: safe	low
http://item.taobao.com/item.htm?id=36149830965http://item.taobao.com/item.htm?id=36151081551http://s	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://item.taobao.com/item.htm?id=36149830965	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://68862320bb.d131.tqxq.com/kdc/banben.txt2.5	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://item.taobao.com/item.htm?id=36151057950	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://www.99tianji.com/w55	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://item.taobao.com/item.htm?id=36151081551	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://s.taobao.com/search?q=%D0%FD%B7%E7%CD%F8%C2%E7%C1%AA%C3%CB%A2%DA&app=shopsearch5	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high
http://68862320bb.d131.tqxq.com/kdc/dqgg.txt	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://s.taobao.com/search?q=%C2%E5%C6%E6%D3%A2%D0%DB%B4%AB%D0%FD%B7%E7%B8%A8%D6%FA&searcy_type=item	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431433
Start date and time:	2024-04-25 05:33:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll
Detection:	MAL
Classification:	mal64.evad.winDLL@13/61@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 33 Number of non-executed functions: 201
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 20.189.173.22
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\6e8fa6.tmp	SecuriteInfo.com.Win32.DropperX-gen.25624.11389.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen19.27544.4289.6649.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen19.27544.16723.4470.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.8987.8491.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.1486.14630.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\6e8fb6.tmp	SecuriteInfo.com.Win32.DropperX-gen.25624.11389.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen19.27544.4289.6649.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen19.27544.16723.4470.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.8987.8491.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.1486.14630.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b865344195a016a7b3cfd6083efc94b48ed2e5e_7522e4b5_22d5e5d6-c07f-42e8-b1e2-20f32a57bb29\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9410585277136831
Encrypted:	false
SSDEEP:	192:D4iHOXy06P+8jeT7RDzuiFZZ24IO84ci:siuX56P+8je9zuiFZY4IO84ci
MD5:	ED3964222CF2B4BB80E46722452DE73F
SHA1:	A70B53E89A643E3D0964A920AE52B4CC8BA4F890
SHA-256:	B7B458066E378EC070A79E9D53BB70A87857AA2A5F80D267F8D752F56D216318
SHA-512:	43689866297D1E4947F0AFD6E2E7A6E159E931B935A0A0CA5CE22B0A771D655DD36CF21D81D7E1FE01D62061DD27EE31DAA3FA71CEF745DB40305769D7C20232
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.8.2.5.1.8.9.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.8.6.4.2.5.1.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.d.5.e.5.d.6.-.c.0.7.f.-.4.2.e.8.-.b.1.e.2.-.2.0.f.3.2.a.5.7.b.b.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.e.c.4.f.4.-.7.3.a.0.-.4.a.a.0.-.a.1.7.e.-.b.c.d.1.a.a.d.c.1.c.4.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.0.-.0.0.0.1.-.0.0.1.4.-.1.9.e.c.-.1.a.7.9.c.1.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b865344195a016a7b3cfd6083efc94b48ed2e5e_7522e4b5_2d045183-0052-4765-9d69-f1c013375348\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9417226488075008
Encrypted:	false
SSDEEP:	192:sli6Ory06P+8jeT7RDzuiFZZ24IO84ci:6ibr56P+8je9zuiFZY4IO84ci
MD5:	928AB89BE2B908EA0742B1B98DE70E66
SHA1:	9F2BEABF9AB88EB827532B5F669BEBA1867EDD81
SHA-256:	A375322B447C4A74061CF886CD3CADB151CBB1459233ACE4AB827B06A9B3C3F0
SHA-512:	EECE0DC28B71CC3B623243CF59D11E83F722914F7329E64AC77C77F85E36BB7F2366DA28F489419E03AA63B285BFBD1773D3D2B107A69F0C022E5B318B20AA7A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.4.6.0.3.0.5.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.5.6.0.3.0.8.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.0.4.5.1.8.3.-.0.0.5.2.-.4.7.6.5.-.9.d.6.9.-.f.1.c.0.1.3.3.7.5.3.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.6.f.4.5.a.7.-.8.6.c.1.-.4.b.5.6.-.8.9.b.8.-.6.6.c.6.3.9.7.1.8.5.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.f.c.-.0.0.0.1.-.0.0.1.4.-.8.2.8.b.-.7.4.7.6.c.1.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b865344195a016a7b3cfd6083efc94b48ed2e5e_7522e4b5_dcc89578-cf24-44a4-a2d6-e7766cc63df5\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9415430024482506
Encrypted:	false
SSDEEP:	192:BcSHim4Owy06P+8jeT7RDzuiFZZ24IO84ci:Brimpw56P+8je9zuiFZY4IO84ci
MD5:	663D758B66CCD85C4E4E6FF43BEE40AC
SHA1:	DD41299B9621D08C83FFD6532C41B40B0CE0C830
SHA-256:	CE3DF7D104C78D94ABCC0A11BF81D88E24E3214A9929698AFE4662F4E14D7EA8
SHA-512:	B0287D8F33C50659AE7981A3EAAAA7AA7D5F153831E0C0D16571DD04C517183CD04A37B19F7C8AECBDEC2ED26A200DB6E217C64FCD816CA7C11C7C5716EA5E93
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.4.6.7.7.9.2.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.6.6.5.5.9.9.8.3.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.c.8.9.5.7.8.-.c.f.2.4.-.4.4.a.4.-.a.2.d.6.-.e.7.7.6.6.c.c.6.3.d.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.f.9.0.5.9.3.-.e.a.6.6.-.4.5.5.7.-.b.e.e.7.-.8.1.3.2.0.5.5.5.5.f.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.8.-.0.0.0.1.-.0.0.1.4.-.f.9.d.1.-.7.2.7.6.c.1.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER997A.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 03:34:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43558
Entropy (8bit):	2.0238282888654857
Encrypted:	false
SSDEEP:	192:tiurO+9zO5H4dM9tTRUWuLDK+H32b3FaS5Paxc:/rO+9q5HIM9rUtG+O0Xc
MD5:	2C56EA1FA8580285EC914B40239BD7EC
SHA1:	81A0E4F58166E9D4B651F0192978EA1B8538CEE3
SHA-256:	6EB37013DCD238B337E41586A0A84DB04B3737C78FDE39D7D6AC829730361580
SHA-512:	EBB7ED2FD9CBFFB4AC23D99424E22A80DE164B54A1FA8421D253A6BA8D10444A4C3182FBAE8C9C694330CB664784EEEBFBEDB2B5E86B4901300A897EF5549089
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......@.)f....................................$...............Z/..........`.......8...........T...............6.......................................................................................................eJ......(.......GenuineIntel............T...........>.)f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99C8.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 03:34:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44154
Entropy (8bit):	1.9948715879030372
Encrypted:	false
SSDEEP:	192:tVurO+Z7fO5H4dM9/X7zZ+qqI73Q4FtuebjhIw39l:GrO+VW5HIM9/X3Z+qqI7BtzyKl
MD5:	8B73D2C67D8F67F07123774C104722E6
SHA1:	54D00D6DE06618B149753BCABAAB1C57E7B67D7B
SHA-256:	4CC46822760A49492A4B1DAA844BC2A592F969BA23F27455F90884A05D5013B1
SHA-512:	A05A0320A0679D6C89C713C295849E78326A76D332ACC276FAC048135BBF0D2E7DBFB80DDACB226B618BE3B372192B28148A36C7F608D2B83A6AB4450A3E6690
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......@.)f....................................$...............Z/..........`.......8...........T......................................................................................................................eJ......(.......GenuineIntel............T...........>.)f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AB3.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.691918749645578
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8D6D6Y+K6Ggmf8RJvopDO89bX2sfj9m:R6lXJY6D6YT6Ggmf8RJvCXVfE
MD5:	4840317AC383B523892BF0A2674B16FA
SHA1:	E736F42FDFCEB4DD9BD86217A29925DE31E3A32A
SHA-256:	2D16B220A0FC48B37FFEDD034989AC100806932D125F7B44598F6F9AFC742731
SHA-512:	DA3158DEFC99FBCA9D1338E551392DADEF43C8DD0068D1304C95309F409ED9CCED1B68A67122C4C0612E103466C32E7A597BC599043813C1B6CE4243D2505020
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AC3.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.6904699834281316
Encrypted:	false
SSDEEP:	192:R6l7wVeJFe6qZ6Y7n6Qgmf8RJvopD789bXIsfC9m:R6lXJ86E6Yb6Qgmf8RJv5X7fB
MD5:	4208A25DD404671D41EB5EFCEC4A85AE
SHA1:	630601CF4B56CE006C03F09860CD987586FD1000
SHA-256:	6B2E98A0658017BE90022BF6DB53D255D8AEE4342F2B456D8B88E62252C0DF0D
SHA-512:	1FE58305D2682366307DDAA9143AF3269E8E38DF9C72390DB279AD0F2BBC39BDA7708CD0CADE934BEF12C00A1002F9D1D12A978F3B7712227C65D50C90F21A21
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AF3.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.447565694107709
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9uBWpW8VYaPYm8M4JCdPlF6+q8vjPNoGScSUd:uIjfrI7oQ7VrSJLK2J3Ud
MD5:	CA66891BB74499607E94B0C1F0C8FAAA
SHA1:	915C8B925A303B4F6B1A8F6A3E9E8E9A53D78C86
SHA-256:	43BB61DF9AE3AB018ADF618D407CE8591BDF18EE61E3FAC11D4417F66C4EA5C0
SHA-512:	AD29234DC5C9765F8CF1A6FBD053A5AF1EDC50D74FA68A6B76A0538922B02ECF9DA4B968D0990C9ADC919940ED4E8C2856DBC597AAE62B3FCEC090A8C93E8AED
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294877" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B31.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.4460035769158
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9uBWpW8VYsYm8M4JCdPlFvk+q8vjPFGScSxd:uIjfrI7oQ7VMJlKZJ3xd
MD5:	7CF147FBFDE5F6284B879332A1221C52
SHA1:	57C946D78D8DF7F65D3F066DE7537AE99F4814E2
SHA-256:	878F0BBA862C0E0B6728759F9E9FA5449296672BAE42452E354CA55FD65B797C
SHA-512:	595A99AA4AFF9947347C04E053486BE2F70619A6C119D439C8F360E92E76FCB4D7D579F3E884706DF45263C96B8EDAE673A99957ED866FFA100B4683A0685A9D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294877" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7A3.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 03:34:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44014
Entropy (8bit):	2.0950450191628387
Encrypted:	false
SSDEEP:	192:pJWGIurO+bvO5H4dM9hb+Beq1qKH+MDpTLCe:71LrO+y5HIM9hb+QiqwDB+e
MD5:	23D6E939B9BFA6662D39DD75BD1E2AB3
SHA1:	CAB7616187632F901651738D5B9356C50D6E0E28
SHA-256:	F16A54BCBF38DA9F6F4E3A67170C0115AA967CA2647A0950E7A1B619BFD34E68
SHA-512:	9A8F2F102DA83F07F69A5B9B129757EE7F82EC4419FFD8C61520E550E6BAA6246A1F28B2BDE2A17224540DBF21AFE8B846C6877C52BD101BB71259144B95DB75
Malicious:	false
Preview:	MDMP..a..... .......D.)f....................................$...............Z/..........`.......8...........T............"..........................................................................................................eJ......(.......GenuineIntel............T.......p...B.)f.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA811.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.691155021332479
Encrypted:	false
SSDEEP:	192:R6l7wVeJA46P6Y7b66zgmf8RJvopDO89b7csfOJm:R6lXJf6P6YX6Ogmf8RJvC7vfR
MD5:	0D557091566DEBBE87EF37B7822C3EEE
SHA1:	CA925F05394636250A9BAD0260661C278DA20F96
SHA-256:	E893C1DC9B8043ADE6648D0994592EB431BCA23BE727D0300569A874A08E3A0E
SHA-512:	AED2F7549EDED0E740240E08F491859CD1864297BE9A8D2A80E6B08C604F777E70D1A552DE5E9A67C481346ABBFFF81667318814D08D46872AD52C050886FA35
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA841.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.4390763611461175
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9uBWpW8VYCYm8M4JCdPlF27+q8vjPnGScS8d:uIjfrI7oQ7ViJr7KjJ38d
MD5:	FA9FF8A5D87990208B8A1136A5483917
SHA1:	ED1BCD408E573F1A429C52C48434459E74EFCF17
SHA-256:	BE7807B729E72C48689D9C1559368D576578BA2FEA691F0A9E6D71912539BA62
SHA-512:	A7EB7C6E0ED55BFCF978170BA65116385DD93BAEB6E4D481B5CD4AACA031D6C63F5076C85037054FE2C0BCC9F2B509B7BCCBE7C110EEF8C76D0DE6D3C9D5C438
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294877" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\6e8fa6.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.DropperX-gen.25624.11389.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen19.27544.4289.6649.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen19.27544.16723.4470.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.8987.8491.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.1486.14630.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e8fb6.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.DropperX-gen.25624.11389.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen19.27544.4289.6649.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen19.27544.16723.4470.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.8987.8491.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.467496.20475.7100.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.1486.14630.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.19982.21920.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9014.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9024.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e90c1.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e90f0.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e90f1.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e913f.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e916f.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e91bd.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e91ce.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e924c.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e927a.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e92ab.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e92c9.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9385.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9386.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e93e4.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e93e5.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9444.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9491.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e94d1.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e95ab.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e960a.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9c29.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9cf5.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9d64.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9da3.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9e02.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9e80.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9ecf.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9f5d.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9fbb.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6e9feb.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea04a.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea089.tmp

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea10b.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea15a.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea19a.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea1f8.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea267.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea2a6.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea2d6.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea335.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea3c3.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea402.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea451.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ea4ee.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136336
Entropy (8bit):	6.417048469027992
Encrypted:	false
SSDEEP:	3072:xqG/1ODJVjqZO/1avAHGVOBwD+S/M19oWUrTf5+ec+3uzAL:9/1OtVj+Amb+SL5n
MD5:	873692EF0C70675F179C190CDC45CB09
SHA1:	CF661969D1AC23463261C48D975F1636EB5F995B
SHA-256:	552750680F4748906D37A0CF0A9F33E6E5C20DF24245A7AD7E752F87830E3E2B
SHA-512:	5D3826032C5181CEB3C072502F7FF09EA99F31AD7634CEB31FA47017176396754FBE009C93C42552590C19C0A41170D586A7C2DA95325AE4C43194578F74ACA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ee..$..$..$..O..$..\..$..$..G&..O..$..O..$..O..$..O..$..O..$..Rich.$..................PE..L......*...........!.........F......ps............PM.........................0.......3....@E...............................d...T........................&...........(..T...............................................`....... ....................text...S........................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394712226851867
Encrypted:	false
SSDEEP:	6144:gl4fiJoH0ncNXiUjt10qCG/gaocYGBoaUMMhA2NX4WABlBuNAyOBSqa:44vFCMYQUMM6VFYSyU
MD5:	A9E5BB54CD09FA5E350B9CCA7F531ACE
SHA1:	AE36115F849C4FBC465E83959B00AF1491237FB8
SHA-256:	7DFD5AEEA2DC4E68CE0385CA45B0BAB1A6DA56714A8938D8D17E5E5A72164F39
SHA-512:	D2ED95B10BEB7006410D188C872CAFC721C98E1F2610FD68DA68FEC2834113E64C5EF238931691D00A3ED0F3D074EEFE4555A6E4714302B6C8C604D5E14B7FEB
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr..w...................................................................................................................................................................................................................................................................................................................................................C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.367387166139938
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 94.34% InstallShield setup (43055/19) 4.05% Windows Screen Saver (13104/52) 1.23% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll
File size:	1'313'056 bytes
MD5:	6528055bc2fa49ae0cd65d2ffbbffc2f
SHA1:	d61bd08ebe3cadc025c2855408df2ea5cf333079
SHA256:	d52c8e88917ca1759d156deaeb46a64e1102a59c3617bba32f652a60afe75cf5
SHA512:	ab0a07d938969b123044e684050079dc1aba5ffc6455dcb780226fd4ce310c1cf0f54a4f6f0a283ec4ad122cc95eb2e5b64ef2a21596ba4c6c5a31be55e93dc4
SSDEEP:	24576:Iz+iIniPg+9qqqIlJMhmVOWitpNTc6X7HsnoIp:If9N6WiRBLMo
TLSH:	BA557D13BA91C0B1D21C1935D4276BF9AB75BE09CE20CA9BE3A4FE7E7D321509923117
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ua`.4.3.4.3.4.3.(.3.4.31(.3.4.3...3.4.3...3.4.3.+.3.4.3.+.3.4.3.4.3.6.3Z+.3.4.3.4.3.4.3u2.3.4.3M..3.4.3Rich.4.3...............

File Icon


Icon Hash:	9eb3c18c2ceea99a

Static PE Info

General

Entrypoint:	0x1006b6f9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x528DA73F [Thu Nov 21 06:25:03 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dc123ecb152d3069b0532972ddf602ee

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F6718C28FBBh
cmp dword ptr [100D1080h], 00000000h
jmp 00007F6718C28FD8h
cmp esi, 01h
je 00007F6718C28FB7h
cmp esi, 02h
jne 00007F6718C28FD4h
mov eax, dword ptr [100D27C8h]
test eax, eax
je 00007F6718C28FBBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F6718C28FBEh
push edi
push esi
push ebx
call 00007F6718C28E9Ch
test eax, eax
jne 00007F6718C28FB6h
xor eax, eax
jmp 00007F6718C29000h
push edi
push esi
push ebx
call 00007F6718C27FEEh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F6718C28FBEh
test eax, eax
jne 00007F6718C28FE9h
push edi
push eax
push ebx
call 00007F6718C28E78h
test esi, esi
je 00007F6718C28FB7h
cmp esi, 03h
jne 00007F6718C28FD8h
push edi
push esi
push ebx
call 00007F6718C28E67h
test eax, eax
jne 00007F6718C28FB5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F6718C28FC3h
mov eax, dword ptr [100D27C8h]
test eax, eax
je 00007F6718C28FBAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
mov eax, dword ptr [100D108Ch]
cmp eax, 01h
je 00007F6718C28FBFh
test eax, eax
jne 00007F6718C28FC0h
cmp dword ptr [100D1090h], 01h
jne 00007F6718C28FB7h
call 00007F6718C2D6FDh
push dword ptr [esp+04h]
call 00007F6718C2D72Dh
push 000000FFh

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb3410	0x47	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1158	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdf000	0x570c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd7000	0x7e78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8b000	0x6ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x894e2	0x8a000	8d47264c2c683e9a375f3c62057421c0	False	0.4980875651041667	data	6.526750395274668	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0x28457	0x29000	9927eac2af930f8b55f2c6c4750c2e48	False	0.5323575647865854	data	5.778898832510645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb4000	0x1e7cc	0xf000	f9629f30cd6549358fee64ab76259ce3	False	0.302685546875	data	4.922240172967134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp0	0xd3000	0x3161	0x4000	c1a4cc1f0c528d330b65ed8d6ae8d69f	False	0.64239501953125	data	6.372819549447077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xd7000	0x7e78	0x8000	cb3feea97b50a9cf1f8d09104219d4d4	False	0.63116455078125	data	6.574755467031048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xdf000	0x570c	0x6000	38be7145636e06747f672511306d1fbe	False	0.2808024088541667	data	4.225479196235254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0xdfbb4	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0xdfbc0	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0xdfbd8	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0xdfd2c	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0xdfe60	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0xdff94	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0xe00c8	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0xe017c	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0xe03c4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0xe0508	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0xe0660	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0xe07b8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0xe0910	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0xe0a68	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0xe0bc0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0xe0d18	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0xe0e70	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0xe0fc8	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0xe15ac	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0xe1664	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0xe17d0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0xe1914	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0xe1bfc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0xe1d24	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.3885135135135135
RT_ICON	0xe1e4c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.33198924731182794
RT_ICON	0xe2134	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536			0.22378048780487805
RT_MENU	0xe279c	0xc	data	Chinese	China	1.5
RT_MENU	0xe27a8	0x284	data	Chinese	China	0.5
RT_DIALOG	0xe2a2c	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0xe2ac4	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0xe2c40	0xfa	data	Chinese	China	0.696
RT_DIALOG	0xe2d3c	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0xe2e28	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0xe36d8	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0xe378c	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0xe3858	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0xe390c	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0xe39f0	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0xe3b7c	0x50	data	Chinese	China	0.85
RT_STRING	0xe3bcc	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0xe3bf8	0x78	data	Chinese	China	0.925
RT_STRING	0xe3c70	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0xe3e34	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0xe3f60	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0xe40a8	0x40	data	Chinese	China	0.65625
RT_STRING	0xe40e8	0x64	data	Chinese	China	0.73
RT_STRING	0xe414c	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0xe4324	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0xe4438	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0xe445c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0xe4470	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0xe4484	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0xe44a8	0x30	data			0.9166666666666666
RT_GROUP_ICON	0xe44d8	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0xe44ec	0x14	data	Chinese	China	1.25
RT_VERSION	0xe4500	0x20c	data	Chinese	China	0.4713740458015267

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GlobalUnlock, SetStdHandle, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, VirtualAlloc, FindClose, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, GetACP, HeapSize, TerminateProcess, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RaiseException, RtlUnwind, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, ReadFile, GetLastError, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, lstrlenA, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, FindFirstFileA, GlobalLock, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, GetCurrentProcess, DuplicateHandle, lstrcpynA, SetLastError, GetFileAttributesA, CopyFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, MultiByteToWideChar, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, GetDiskFreeSpaceA, MulDiv, GetCommandLineA, GetTickCount, WaitForSingleObject, LCMapStringW, CloseHandle
USER32.dll	OpenClipboard, GetClipboardData, CloseClipboard, SetClipboardData, EmptyClipboard, wsprintfA, GetSystemMetrics, GetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, IsWindow, PostMessageA, GetTopWindow, GetParent, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, DestroyMenu, IsChild, ReleaseDC, IsRectEmpty, FillRect, SystemParametersInfoA, TranslateMessage, LoadIconA, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetSystemMenu, DeleteMenu, GetClassInfoA, DefWindowProcA, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetDC, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, GetForegroundWindow, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, UnregisterClassA, LoadStringA, GetSysColorBrush, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, InflateRect, SetRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor
GDI32.dll	CreateRectRgnIndirect, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, GetObjectA, CreatePen, PatBlt, FillRgn, CreateRectRgn, CombineRgn, CreateSolidBrush, GetStockObject, CreateFontIndirectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, GetTextMetricsA, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetBkColor
WINMM.dll	waveOutReset, midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutUnprepareHeader, waveOutPause, waveOutWrite, waveOutPrepareHeader
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dll	RegQueryValueA, RegCloseKey, RegOpenKeyExA, RegSetValueExA, RegCreateKeyA, RegCreateKeyExA
SHELL32.dll	Shell_NotifyIconA, ShellExecuteA
ole32.dll	OleUninitialize, CLSIDFromString, OleInitialize
OLEAUT32.dll	UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib
COMCTL32.dll	ImageList_Destroy
WS2_32.dll	ioctlsocket, recv, getpeername, accept, inet_ntoa, WSACleanup, closesocket, WSAAsyncSelect, recvfrom
comdlg32.dll	GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA, ChooseColorA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	2
Start time:	05:34:21
Start date:	25/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll"
Imagebase:	0x570000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	05:34:21
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	05:34:22
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	05:34:22
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL
Imagebase:	0x780000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	05:34:22
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Imagebase:	0x780000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	05:34:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 808
Imagebase:	0x8d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	05:34:24
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 800
Imagebase:	0x8d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	05:34:26
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll", DLL
Imagebase:	0x780000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	05:34:28
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 872
Imagebase:	0x8d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true