Windows Analysis Report
02.dll.dll

Overview

General Information

Sample name: 02.dll.dll
(renamed file extension from exe to dll)
Original sample name: 02.dll.exe
Analysis ID: 1427741
MD5: 4b7b85d70329e085ab06dcdf9557b0a0
SHA1: 3a277203cb4916eb1f55f867f0bd368476c613fb
SHA256: 49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0
Tags: exeQakbottchk08
Infos:

Detection

Bazar Loader, Qbot
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Check for Windows Defender sandbox
Multi AV Scanner detection for submitted file
Yara detected Bazar Loader
Yara detected Qbot
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
QakBot, qbotQbot QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
  • GOLD CABIN
 https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 02.dll.dll Virustotal: Detection: 19% Perma Link
Source: 02.dll.dll ReversingLabs: Detection: 13%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800750F0 CryptAcquireContextA,GetLastError,CryptGenRandom, 3_2_00000001800750F0
Source: Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.2154578784.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2139051997.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2145893367.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2168111693.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2123138544.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2113846587.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2115651942.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2168006557.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2115667100.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2118582232.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2120004903.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2122221736.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2119209789.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.2120409335.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.2120576111.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2122212594.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.2122216421.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.2122426344.0000000180252000.00000002.00000001.01000000.00000003.sdmp, 02.dll.dll
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B90ECD0 NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 22_2_000001A41B90ECD0
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B911BB8 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 22_2_000001A41B911BB8
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B90E6E8 NtAllocateVirtualMemory,NtWriteVirtualMemory, 22_2_000001A41B90E6E8
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B90EE48 NtResumeThread, 22_2_000001A41B90EE48
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B91B1C4 NtProtectVirtualMemory,char_traits,NtProtectVirtualMemory, 22_2_000001A41B91B1C4
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001E0A0 3_2_000000018001E0A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004D020 3_2_000000018004D020
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800040B0 3_2_00000001800040B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002F0C0 3_2_000000018002F0C0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180030190 3_2_0000000180030190
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800D61A0 3_2_00000001800D61A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800201B0 3_2_00000001800201B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180009200 3_2_0000000180009200
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180083220 3_2_0000000180083220
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800164D0 3_2_00000001800164D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180004530 3_2_0000000180004530
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180250558 3_2_0000000180250558
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180244524 3_2_0000000180244524
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180032550 3_2_0000000180032550
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180236540 3_2_0000000180236540
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018022D588 3_2_000000018022D588
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180031570 3_2_0000000180031570
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800475D0 3_2_00000001800475D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800195D0 3_2_00000001800195D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018023065C 3_2_000000018023065C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002F640 3_2_000000018002F640
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800576A0 3_2_00000001800576A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180036710 3_2_0000000180036710
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018024C700 3_2_000000018024C700
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180006760 3_2_0000000180006760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180050770 3_2_0000000180050770
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800307D0 3_2_00000001800307D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002F800 3_2_000000018002F800
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000C840 3_2_000000018000C840
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002E920 3_2_000000018002E920
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018022D95C 3_2_000000018022D95C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180031950 3_2_0000000180031950
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180032970 3_2_0000000180032970
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018022E968 3_2_000000018022E968
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001802439F4 3_2_00000001802439F4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180032B40 3_2_0000000180032B40
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180020B50 3_2_0000000180020B50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180031BB0 3_2_0000000180031BB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002FBB0 3_2_000000018002FBB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180048C20 3_2_0000000180048C20
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001CC70 3_2_000000018001CC70
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180031CB0 3_2_0000000180031CB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002FD10 3_2_000000018002FD10
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018022DD30 3_2_000000018022DD30
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180046DA0 3_2_0000000180046DA0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001DDC0 3_2_000000018001DDC0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004FDE0 3_2_000000018004FDE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180030E40 3_2_0000000180030E40
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002FE50 3_2_000000018002FE50
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180243EA4 3_2_0000000180243EA4
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0D0040 22_2_000001A41A0D0040
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0E6B49 22_2_000001A41A0E6B49
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0E2BA5 22_2_000001A41A0E2BA5
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0EE81D 22_2_000001A41A0EE81D
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0ED861 22_2_000001A41A0ED861
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F208D 22_2_000001A41A0F208D
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0E48CD 22_2_000001A41A0E48CD
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0E8D41 22_2_000001A41A0E8D41
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F055D 22_2_000001A41A0F055D
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0EB5CD 22_2_000001A41A0EB5CD
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0DB60D 22_2_000001A41A0DB60D
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0D4701 22_2_000001A41A0D4701
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B910F98 22_2_000001A41B910F98
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B912CC0 22_2_000001A41B912CC0
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B91BC54 22_2_000001A41B91BC54
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B920480 22_2_000001A41B920480
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B91CC10 22_2_000001A41B91CC10
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B914F3C 22_2_000001A41B914F3C
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B902AF4 22_2_000001A41B902AF4
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B9199C0 22_2_000001A41B9199C0
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B909A00 22_2_000001A41B909A00
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B917134 22_2_000001A41B917134
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B91E950 22_2_000001A41B91E950
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180026F00 appears 52 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00000001800D7120 appears 105 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018002B690 appears 297 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180043930 appears 40 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180227E80 appears 162 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00000001800C6790 appears 133 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3440 -s 424
Sample file is different than original file name gathered from version info
Source: 02.dll.dll Binary or memory string: OriginalFilenamebdnc.dllT vs 02.dll.dll
Source: classification engine Classification label: mal84.troj.evad.winDLL@72/17@0/0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001CC70 CertOpenSystemStoreA,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,CertCloseStore, 3_2_000000018001CC70
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B9117AC CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 22_2_000001A41B9117AC
Source: C:\Windows\System32\rundll32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1900
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1408
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3440
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4124
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e0b944d2-36ac-4e22-bd7b-34a71db2a648 Jump to behavior
Source: 02.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask
Source: 02.dll.dll Virustotal: Detection: 19%
Source: 02.dll.dll ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\02.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\02.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3440 -s 424
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1900 -s 416
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask_async
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4124 -s 420
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask_bin
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1408 -s 416
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask_async
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask_bin
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",checkit
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_uninit
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_text
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_set_optionv
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_set_option
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_json
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_info
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_bin
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_mem_upload_async
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_mem_upload
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_type_of
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_string
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_real
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_path
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_object
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_long
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\02.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask_async Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\02.dll.dll,bdnimbus_ask_bin Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask_async Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_ask_bin Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",checkit Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_uninit Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_text Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_set_optionv Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_set_option Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_json Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_info Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_push_bin Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_mem_upload_async Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_mem_upload Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_type_of Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_string Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_real Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_path Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_object Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",bdnimbus_json_long Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 02.dll.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 02.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 02.dll.dll Static file information: File size 3691008 > 1048576
Source: 02.dll.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x250400
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 02.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb source: rundll32.exe, 00000003.00000002.2154578784.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2139051997.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2145893367.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2168111693.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2123138544.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2113846587.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.2115651942.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2168006557.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2115667100.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2118582232.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2120004903.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.2122221736.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.2119209789.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000025.00000002.2120409335.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.2120576111.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2122212594.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.2122216421.0000000180252000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.2122426344.0000000180252000.00000002.00000001.01000000.00000003.sdmp, 02.dll.dll
Source: 02.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 02.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 02.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 02.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 02.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary, 3_2_000000018004FBF0
PE file contains an invalid checksum
Source: 02.dll.dll Static PE information: real checksum: 0x37113d should be: 0x3893d8
PE file contains sections with non-standard names
Source: 02.dll.dll Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F634A push cs; retn 0000h 22_2_000001A41A0F6386
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F4458 push ebx; iretd 22_2_000001A41A0F44DD
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F44D4 push ebx; iretd 22_2_000001A41A0F44DD
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41A0F39DD push ds; ret 22_2_000001A41A0F39E5
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B922CC7 push ebx; iretd 22_2_000001A41B922CD0
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B92A101 push esp; ret 22_2_000001A41B92A10B
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B922C4B push ebx; iretd 22_2_000001A41B922CD0
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B9287C5 push esp; ret 22_2_000001A41B9287C4
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B92873C push esp; ret 22_2_000001A41B9287C4
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B924B3D push cs; retn 0000h 22_2_000001A41B924B79
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B9221D0 push ds; ret 22_2_000001A41B9221D8
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check for Windows Defender sandbox
Source: C:\Windows\System32\rundll32.exe File Queried: C:\INTERNAL\__empty Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 2.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 5424 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6488 Thread sleep count: 237 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 22_2_000001A41B910450 LookupAccountSidW,GetSystemInfo, 22_2_000001A41B910450
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001802432BC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004FBF0 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary, 3_2_000000018004FBF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001802432BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001802432BC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180227ED0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180227ED0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Windows\System32\wermgr.exe base: 26204A90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory allocated: C:\Windows\System32\wermgr.exe base: 26204AC0000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 26204A90000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 26204AC0000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 26204A90000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 7FF6070E6590 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\02.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: unknown unknown Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800744F0 GetProcAddress,GetSystemTimeAsFileTime, 3_2_00000001800744F0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180061840 GetVersion,RegOpenKeyExA,GetLastError,RegOpenKeyExA,GetLastError,RegCloseKey,RegCloseKey,RegOpenKeyExA,GetLastError,RegCloseKey, 3_2_0000000180061840
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bazar Loader
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2179248939.000001A41A0D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180620271.000001A41A101000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Qbot
Source: Yara match File source: 22.2.rundll32.exe.1a41a104000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d280d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d280d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a104000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2179248939.000001A41A0D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180990206.000001A41B901000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180749909.000001A41A104000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2181091820.000001A41BB06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Bazar Loader
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2179248939.000001A41A0D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180620271.000001A41A101000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Qbot
Source: Yara match File source: 22.2.rundll32.exe.1a41a104000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d280d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d280d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a0d060d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.1a41a104000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2179248939.000001A41A0D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180990206.000001A41B901000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2180749909.000001A41A104000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2181091820.000001A41BB06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007BAC0 bind,WSAGetLastError,WSAGetLastError, 3_2_000000018007BAC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427741 Sample: 02.dll.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 84 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected Qbot 2->31 33 Yara detected Bazar Loader 2->33 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 21 other processes 8->17 signatures5 35 Check for Windows Defender sandbox 10->35 37 Writes to foreign memory regions 10->37 39 Allocates memory in foreign processes 10->39 41 Injects a PE file into a foreign processes 10->41 19 rundll32.exe 13->19         started        21 WerFault.exe 16 15->21         started        23 WerFault.exe 19 17->23         started        25 WerFault.exe 16 17->25         started        process6 process7 27 WerFault.exe 20 16 19->27         started       
No contacted IP infos