Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll (renamed file extension from exe to dll)
Original sample name:	SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.exe
Analysis ID:	1430615
MD5:	fd2a2fbb6b25ccc4ea52f27dce2c32de
SHA1:	39dd88a51067c8b7760649fde37dee835a9b4284
SHA256:	da5f9004e05098aa0c86b94e8f2403b9adaa0b99ae562607f283de70fbcdb3bc
Tags:	exe
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

AV process strings found (often used to terminate AV products)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF210300 _invalid_parameter_noinfo_noreturn,CreateFileW,GetFileSize,ReadFile,CryptAcquireContextW,CryptCreateHash,CloseHandle,CryptReleaseContext,CryptHashData,CloseHandle,CryptDestroyHash,CryptReleaseContext,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,

0_2_00007FFDFF210300

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: smss.pdb source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF29FE70 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

0_2_00007FFDFF29FE70

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2151B0 GetAsyncKeyState,malloc,CreateEventW,SetWindowLongPtrW,

0_2_00007FFDFF2151B0

Potential key logger detected (key state polling based)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF250250 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FFDFF250250

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20FD00	0_2_00007FFDFF20FD00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF224380	0_2_00007FFDFF224380
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF210300	0_2_00007FFDFF210300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF23A790	0_2_00007FFDFF23A790
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212F90	0_2_00007FFDFF212F90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF255770	0_2_00007FFDFF255770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20E760	0_2_00007FFDFF20E760
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2927C0	0_2_00007FFDFF2927C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20DFB0	0_2_00007FFDFF20DFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212010	0_2_00007FFDFF212010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F3800	0_2_00007FFDFF1F3800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FB010	0_2_00007FFDFF1FB010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25F850	0_2_00007FFDFF25F850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24E850	0_2_00007FFDFF24E850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EB040	0_2_00007FFDFF1EB040
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22C840	0_2_00007FFDFF22C840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DB020	0_2_00007FFDFF1DB020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26CE80	0_2_00007FFDFF26CE80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF29FE70	0_2_00007FFDFF29FE70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F9ED0	0_2_00007FFDFF1F9ED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20D6B0	0_2_00007FFDFF20D6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F4EA0	0_2_00007FFDFF1F4EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22AEA0	0_2_00007FFDFF22AEA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FBEB2	0_2_00007FFDFF1FBEB2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20F710	0_2_00007FFDFF20F710
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF280F20	0_2_00007FFDFF280F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26DD90	0_2_00007FFDFF26DD90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF200D85	0_2_00007FFDFF200D85
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F7D70	0_2_00007FFDFF1F7D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF217DC0	0_2_00007FFDFF217DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26E5B0	0_2_00007FFDFF26E5B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F5600	0_2_00007FFDFF1F5600
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EB610	0_2_00007FFDFF1EB610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF210DF0	0_2_00007FFDFF210DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF206DE0	0_2_00007FFDFF206DE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DBE50	0_2_00007FFDFF1DBE50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF256E30	0_2_00007FFDFF256E30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF245620	0_2_00007FFDFF245620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21E480	0_2_00007FFDFF21E480
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF202490	0_2_00007FFDFF202490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22CC60	0_2_00007FFDFF22CC60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF209CD0	0_2_00007FFDFF209CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2684D0	0_2_00007FFDFF2684D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF219CC0	0_2_00007FFDFF219CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212CB0	0_2_00007FFDFF212CB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24ED00	0_2_00007FFDFF24ED00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1D9CE0	0_2_00007FFDFF1D9CE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2124E0	0_2_00007FFDFF2124E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26BD40	0_2_00007FFDFF26BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF273D30	0_2_00007FFDFF273D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF270D30	0_2_00007FFDFF270D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF205D20	0_2_00007FFDFF205D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DDB90	0_2_00007FFDFF1DDB90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2393B0	0_2_00007FFDFF2393B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF211BB0	0_2_00007FFDFF211BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF215BB0	0_2_00007FFDFF215BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DD3A0	0_2_00007FFDFF1DD3A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF267BA0	0_2_00007FFDFF267BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24FBF0	0_2_00007FFDFF24FBF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F43E0	0_2_00007FFDFF1F43E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1D7C20	0_2_00007FFDFF1D7C20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24D420	0_2_00007FFDFF24D420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21AA80	0_2_00007FFDFF21AA80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF291A70	0_2_00007FFDFF291A70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24F260	0_2_00007FFDFF24F260
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FAA70	0_2_00007FFDFF1FAA70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF29BAB8	0_2_00007FFDFF29BAB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2182B0	0_2_00007FFDFF2182B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26F310	0_2_00007FFDFF26F310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF299300	0_2_00007FFDFF299300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF225AF0	0_2_00007FFDFF225AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF254AF0	0_2_00007FFDFF254AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EDAF0	0_2_00007FFDFF1EDAF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF238B20	0_2_00007FFDFF238B20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26EB20	0_2_00007FFDFF26EB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F3B30	0_2_00007FFDFF1F3B30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22B980	0_2_00007FFDFF22B980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF270980	0_2_00007FFDFF270980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EC990	0_2_00007FFDFF1EC990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2151B0	0_2_00007FFDFF2151B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2351A0	0_2_00007FFDFF2351A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26E1A0	0_2_00007FFDFF26E1A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF225210	0_2_00007FFDFF225210
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21D200	0_2_00007FFDFF21D200
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF250250	0_2_00007FFDFF250250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20BA40	0_2_00007FFDFF20BA40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F9250	0_2_00007FFDFF1F9250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24D230	0_2_00007FFDFF24D230
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20C080	0_2_00007FFDFF20C080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24E0B0	0_2_00007FFDFF24E0B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25A0E0	0_2_00007FFDFF25A0E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2668E0	0_2_00007FFDFF2668E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EC140	0_2_00007FFDFF1EC140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF237940	0_2_00007FFDFF237940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24B940	0_2_00007FFDFF24B940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25E120	0_2_00007FFDFF25E120

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFDFF1F1B70 appears 64 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFDFF1F0970 appears 47 times

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 496

Source: classification engine

Classification label: clean7.winDLL@8/9@0/0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF20FD00 CreateToolhelp32Snapshot,memset,Process32FirstW,GetCurrentProcessId,Process32NextW,FindCloseChangeNotification,OpenProcess,QueryFullProcessImageNameW,_invalid_parameter_noinfo_noreturn,CloseHandle,CloseHandle,

0_2_00007FFDFF20FD00

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2060
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aae8777d-7b6a-4d42-a076-e94ae3661dc1

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1

Source: loaddll64.exe	String found in binary or memory: No backend found! Please make sure the backend is listening to port '5595' / '3551' or check the CraniumV1 Settings file for the custom Port setting. Carbon provides NeoniteV2 pre-installed with the ZIP File. Execute the 'run.bat' and try again! Inside If y
Source: loaddll64.exe	String found in binary or memory: No backend found! Please make sure the backend is listening to port '5595' / '3551' or check the CraniumV1 Settings file for the custom Port setting.Carbon provides NeoniteV2 pre-installed with the ZIP File.Execute the 'run.bat' and try again! Inside If y

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 496
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2060 -s 456
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static file information: File size 1233408 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: smss.pdb source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF24F260 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,memset,D3DCompile,D3DCompile,

0_2_00007FFDFF24F260

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: section name: .detourc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: section name: .detourd

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF20FD00

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll64.exe

API coverage: 2.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF29FE70

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF29B810 GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc,

0_2_00007FFDFF29B810

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF20FD00

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF24F260 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,memset,D3DCompile,D3DCompile,

0_2_00007FFDFF24F260

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2A0AFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FFDFF2A0AFC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll64.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FFDFF2A01F0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2A11F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFDFF2A11F4

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF210300

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: smss.pdb source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF29FE70

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2151B0 GetAsyncKeyState,malloc,CreateEventW,SetWindowLongPtrW,

0_2_00007FFDFF2151B0

Potential key logger detected (key state polling based)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF250250 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FFDFF250250

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20FD00	0_2_00007FFDFF20FD00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF224380	0_2_00007FFDFF224380
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF210300	0_2_00007FFDFF210300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF23A790	0_2_00007FFDFF23A790
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212F90	0_2_00007FFDFF212F90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF255770	0_2_00007FFDFF255770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20E760	0_2_00007FFDFF20E760
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2927C0	0_2_00007FFDFF2927C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20DFB0	0_2_00007FFDFF20DFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212010	0_2_00007FFDFF212010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F3800	0_2_00007FFDFF1F3800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FB010	0_2_00007FFDFF1FB010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25F850	0_2_00007FFDFF25F850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24E850	0_2_00007FFDFF24E850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EB040	0_2_00007FFDFF1EB040
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22C840	0_2_00007FFDFF22C840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DB020	0_2_00007FFDFF1DB020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26CE80	0_2_00007FFDFF26CE80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF29FE70	0_2_00007FFDFF29FE70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F9ED0	0_2_00007FFDFF1F9ED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20D6B0	0_2_00007FFDFF20D6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F4EA0	0_2_00007FFDFF1F4EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22AEA0	0_2_00007FFDFF22AEA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FBEB2	0_2_00007FFDFF1FBEB2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20F710	0_2_00007FFDFF20F710
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF280F20	0_2_00007FFDFF280F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26DD90	0_2_00007FFDFF26DD90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF200D85	0_2_00007FFDFF200D85
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F7D70	0_2_00007FFDFF1F7D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF217DC0	0_2_00007FFDFF217DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26E5B0	0_2_00007FFDFF26E5B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F5600	0_2_00007FFDFF1F5600
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EB610	0_2_00007FFDFF1EB610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF210DF0	0_2_00007FFDFF210DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF206DE0	0_2_00007FFDFF206DE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DBE50	0_2_00007FFDFF1DBE50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF256E30	0_2_00007FFDFF256E30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF245620	0_2_00007FFDFF245620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21E480	0_2_00007FFDFF21E480
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF202490	0_2_00007FFDFF202490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22CC60	0_2_00007FFDFF22CC60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF209CD0	0_2_00007FFDFF209CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2684D0	0_2_00007FFDFF2684D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF219CC0	0_2_00007FFDFF219CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF212CB0	0_2_00007FFDFF212CB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24ED00	0_2_00007FFDFF24ED00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1D9CE0	0_2_00007FFDFF1D9CE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2124E0	0_2_00007FFDFF2124E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26BD40	0_2_00007FFDFF26BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF273D30	0_2_00007FFDFF273D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF270D30	0_2_00007FFDFF270D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF205D20	0_2_00007FFDFF205D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DDB90	0_2_00007FFDFF1DDB90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2393B0	0_2_00007FFDFF2393B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF211BB0	0_2_00007FFDFF211BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF215BB0	0_2_00007FFDFF215BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1DD3A0	0_2_00007FFDFF1DD3A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF267BA0	0_2_00007FFDFF267BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24FBF0	0_2_00007FFDFF24FBF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F43E0	0_2_00007FFDFF1F43E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1D7C20	0_2_00007FFDFF1D7C20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24D420	0_2_00007FFDFF24D420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21AA80	0_2_00007FFDFF21AA80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF291A70	0_2_00007FFDFF291A70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24F260	0_2_00007FFDFF24F260
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1FAA70	0_2_00007FFDFF1FAA70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF29BAB8	0_2_00007FFDFF29BAB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2182B0	0_2_00007FFDFF2182B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26F310	0_2_00007FFDFF26F310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF299300	0_2_00007FFDFF299300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF225AF0	0_2_00007FFDFF225AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF254AF0	0_2_00007FFDFF254AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EDAF0	0_2_00007FFDFF1EDAF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF238B20	0_2_00007FFDFF238B20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26EB20	0_2_00007FFDFF26EB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F3B30	0_2_00007FFDFF1F3B30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF22B980	0_2_00007FFDFF22B980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF270980	0_2_00007FFDFF270980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EC990	0_2_00007FFDFF1EC990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2151B0	0_2_00007FFDFF2151B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2351A0	0_2_00007FFDFF2351A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF26E1A0	0_2_00007FFDFF26E1A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF225210	0_2_00007FFDFF225210
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF21D200	0_2_00007FFDFF21D200
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF250250	0_2_00007FFDFF250250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20BA40	0_2_00007FFDFF20BA40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1F9250	0_2_00007FFDFF1F9250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24D230	0_2_00007FFDFF24D230
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF20C080	0_2_00007FFDFF20C080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24E0B0	0_2_00007FFDFF24E0B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25A0E0	0_2_00007FFDFF25A0E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF2668E0	0_2_00007FFDFF2668E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF1EC140	0_2_00007FFDFF1EC140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF237940	0_2_00007FFDFF237940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF24B940	0_2_00007FFDFF24B940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDFF25E120	0_2_00007FFDFF25E120

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFDFF1F1B70 appears 64 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFDFF1F0970 appears 47 times

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 496

Source: classification engine

Classification label: clean7.winDLL@8/9@0/0

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF20FD00

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2060
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aae8777d-7b6a-4d42-a076-e94ae3661dc1

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1

Source: loaddll64.exe	String found in binary or memory: No backend found! Please make sure the backend is listening to port '5595' / '3551' or check the CraniumV1 Settings file for the custom Port setting. Carbon provides NeoniteV2 pre-installed with the ZIP File. Execute the 'run.bat' and try again! Inside If y
Source: loaddll64.exe	String found in binary or memory: No backend found! Please make sure the backend is listening to port '5595' / '3551' or check the CraniumV1 Settings file for the custom Port setting.Carbon provides NeoniteV2 pre-installed with the ZIP File.Execute the 'run.bat' and try again! Inside If y

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6352 -s 496
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2060 -s 456
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static file information: File size 1233408 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: smss.pdb source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: rundll32.exe, 00000003.00000003.1650386544.000001DEF7C77000.00000004.00000020.00020000.00000000.sdmp

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF24F260 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,memset,D3DCompile,D3DCompile,

0_2_00007FFDFF24F260

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: section name: .detourc
Source: SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll	Static PE information: section name: .detourd

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF20FD00

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll64.exe

API coverage: 2.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF29FE70

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF29B810 GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc,

0_2_00007FFDFF29B810

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FFDFF20FD00

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF24F260 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,memset,D3DCompile,D3DCompile,

0_2_00007FFDFF24F260

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2A0AFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FFDFF2A0AFC

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll",#1

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll64.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FFDFF2A01F0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDFF2A11F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFDFF2A11F4

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

ID:	1430615
Product:	CloudBasic
Start time:	00:27:08
Start date:	24.04.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fd2a2fbb6b25ccc4ea52f27dce2c32de
SHA1:	39dd88a51067c8b7760649fde37dee835a9b4284
SHA256:	da5f9004e05098aa0c86b94e8f2403b9adaa0b99ae562607f283de70fbcdb3bc
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_83d7658075697faf82dae1b6e36e235ee8a8d718_606702e6_22fcbf14-ec94-4383-beac-402187bc688a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	69E954689A58E57E46E20B784C18D2A9	BB0111E205CD79B2A9CDC524F38C6043E1EC8A43	2CFC080AE2392D29F11CBBE33870FC9430D9ADD20D7EC27ED8092E5CC478F123
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_b3df15ac964da365734eb0cc6046eff31cf5caf_b7084328_c92913f6-3767-4343-9511-395a78195274\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F1203070AF1A683B69808215B4A29BB9	F5C4DBDE82218BF51F476B7DDF373B967711CFB2	C3303578AAF763CD740D5C22C223F79EC7BDBA1F7FB3A0E30552CD013698A9D6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER453F.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Apr 23 22:28:01 2024, 0x1205a4 type	612F004791F21F1162EEC53EE2EB2FF7	EF6E94233167AF68F79C8DEBDAB3B11340947EE4	D928DC98759B67625503E6A00C64CB5A01E2AFB74A1A4B05074D9B95F8D1EBD9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45DC.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B48EBAEF05EB1BA8A4EEAC91BCADC9CF	9567977C159EBB532620566B1CAAED360ECDEC6C	BB9E72724E40B313BA530DB9F8EA55F0BAD4B45010093922D6050A1782777F39
C:\ProgramData\Microsoft\Windows\WER\Temp\WER460C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8C88DF2C1134316F0E2012ED925910C1	0C8BFDB7AE3A0C92BFB5C6FF5EDB28079E36AB25	01558EACA772A37C9C3086E297203BCFE6E58D471D94C9FC3C55E660F1BBF209
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F80.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Apr 23 22:28:04 2024, 0x1205a4 type	8BAC1AAA0DC73D594D96C9608BF77054	D2D96BA9163F2CFF9C95EAE99A64CB21C0ADC5FF	A8DA3F500950A681D088FDFE9D7F6C06E05BE8C8B0021B00B335A9E2EDD860DC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FCF.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	FB4F98006349F4CE7E543D57E1FD803B	083D8C8C08D52A8ACD5103EE4D11F9E978C24857	9D24B0BBD91E3FC94C4CBD30BB9271F9F15A6FB34A766D50AB5705B06374958D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER500F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E076B9AC127DCB5F7356BDEB3020794F	C459F2EF5A01FB8BA213A1DA0276EB2229A70A63	D535C7AED8686CB064843942D5FF5C3AD0F9E518D64215E6E219DF9ACC6C60F5
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8B733C34339D64B6B9F80E7317923B8B	ABF1EF260FB549ABDACF2CD34F24111227C1FF7B	A081675B78D9905A323AE8D4D91CA68CA9AFB775F366D8CEB9D99E3C77A9809D

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.25386.29459.dll