Windows Analysis Report
vulkan-1.dll

Overview

General Information

Sample name: vulkan-1.dll
Analysis ID: 1431065
MD5: 5e162bcda79c966d63a15e49c8bf8c13
SHA1: 2f2c77e120b66a34648c22fa23d525b1ead0df67
SHA256: 25d6b4ef0a74f1a04476dc2944def16d4ca2b015277add2ebcfbc1c3df13793c
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Source: vulkan-1.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: loaddll64.exe, 00000000.00000002.2924751005.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1834242401.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1825910461.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1799004776.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1809105234.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1760012512.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1760822003.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1763354731.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1764637957.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1766989763.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1769289710.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1769782887.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1770951904.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1777449017.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1776291770.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1776295862.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1776321834.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.1775214464.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1777112962.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.1777529817.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, vulkan-1.dll
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_d2be42f9ca26f5b1c98ace275864247822806def_20b95fe6_fb6bb36d-6fd7-4e37-9ac7-808a63498779\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_8a98533a1ee59e3066e2be1dd9ba698f1f7c53_20b95fe6_efed0deb-ab6a-419b-abdf-f64dadf15c15\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF284804 0_2_00007FFDFF284804
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2A8000 0_2_00007FFDFF2A8000
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF28B7E8 0_2_00007FFDFF28B7E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF225830 0_2_00007FFDFF225830
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF227F50 0_2_00007FFDFF227F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF295740 0_2_00007FFDFF295740
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF227F30 0_2_00007FFDFF227F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF228610 0_2_00007FFDFF228610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2A2618 0_2_00007FFDFF2A2618
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF284E10 0_2_00007FFDFF284E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF222613 0_2_00007FFDFF222613
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF284600 0_2_00007FFDFF284600
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF222620 0_2_00007FFDFF222620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF222490 0_2_00007FFDFF222490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2834C0 0_2_00007FFDFF2834C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2A3504 0_2_00007FFDFF2A3504
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2234F0 0_2_00007FFDFF2234F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF29D4EC 0_2_00007FFDFF29D4EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF227D30 0_2_00007FFDFF227D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF231D20 0_2_00007FFDFF231D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF28D3B4 0_2_00007FFDFF28D3B4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF284C0C 0_2_00007FFDFF284C0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2843FC 0_2_00007FFDFF2843FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF285C50 0_2_00007FFDFF285C50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF294C28 0_2_00007FFDFF294C28
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF282420 0_2_00007FFDFF282420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2AB294 0_2_00007FFDFF2AB294
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF241990 0_2_00007FFDFF241990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2829D0 0_2_00007FFDFF2829D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2219B0 0_2_00007FFDFF2219B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2281A0 0_2_00007FFDFF2281A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2ABA14 0_2_00007FFDFF2ABA14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF284A08 0_2_00007FFDFF284A08
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF29D204 0_2_00007FFDFF29D204
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF283A58 0_2_00007FFDFF283A58
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF23787C 0_2_00007FFDFF23787C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF29D8E4 0_2_00007FFDFF29D8E4
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FFDFF295090 appears 1217 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7352 -s 316
PE file contains more sections than normal
Source: vulkan-1.dll Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: clean6.winDLL@102/17@0/0
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7352
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7776
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7368
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7632
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c0b4815a-8c8e-4303-9a82-1eb7d039b9bb Jump to behavior
Source: vulkan-1.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAcquireNextImage2KHR
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vulkan-1.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAcquireNextImage2KHR
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7352 -s 316
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7368 -s 348
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAcquireNextImageKHR
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7632 -s 340
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAllocateCommandBuffers
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7776 -s 348
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAcquireNextImage2KHR
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAcquireNextImageKHR
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAllocateCommandBuffers
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkWaitSemaphores
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkWaitForFences
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUpdateDescriptorSets
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUpdateDescriptorSetWithTemplate
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUnmapMemory
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkTrimCommandPool
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSignalSemaphore
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSetPrivateData
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSetEvent
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetQueryPool
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetFences
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetEvent
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAcquireNextImage2KHR Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAcquireNextImageKHR Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vulkan-1.dll,vkAllocateCommandBuffers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAcquireNextImage2KHR Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAcquireNextImageKHR Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkAllocateCommandBuffers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkWaitSemaphores Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkWaitForFences Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUpdateDescriptorSets Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUpdateDescriptorSetWithTemplate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkUnmapMemory Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkTrimCommandPool Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSignalSemaphore Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSetPrivateData Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkSetEvent Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetQueryPool Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetFences Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",vkResetEvent Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7352 -s 316 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: dxgi.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: vulkan-1.dll Static PE information: More than 245 > 100 exports found
Source: vulkan-1.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: vulkan-1.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: vulkan-1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: loaddll64.exe, 00000000.00000002.2924751005.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1834242401.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1825910461.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1799004776.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1809105234.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1760012512.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1760822003.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1763354731.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1764637957.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1766989763.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1769289710.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1769782887.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.1770951904.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1777449017.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1776291770.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000022.00000002.1776295862.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1776321834.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.1775214464.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1777112962.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.1777529817.00007FFDFF2BA000.00000002.00000001.01000000.00000003.sdmp, vulkan-1.dll
Source: vulkan-1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vulkan-1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vulkan-1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vulkan-1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vulkan-1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: vulkan-1.dll Static PE information: section name: .00cfg
Source: vulkan-1.dll Static PE information: section name: .gxfg
Source: vulkan-1.dll Static PE information: section name: .retplne
Source: vulkan-1.dll Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF234C67 push rax; ret 0_2_00007FFDFF234C6D
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_d2be42f9ca26f5b1c98ace275864247822806def_20b95fe6_fb6bb36d-6fd7-4e37-9ac7-808a63498779\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vul_8a98533a1ee59e3066e2be1dd9ba698f1f7c53_20b95fe6_efed0deb-ab6a-419b-abdf-f64dadf15c15\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF29C85C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFF29C85C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF29C85C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFF29C85C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF27EC38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FFDFF27EC38
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vulkan-1.dll",#1 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW, 0_2_00007FFDFF29AF84
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FFDFF29B7B8
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FFDFF2A07EC
Source: C:\Windows\System32\loaddll64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FFDFF2A0D98
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FFDFF2A04EC
Source: C:\Windows\System32\loaddll64.exe Code function: EnumSystemLocalesW, 0_2_00007FFDFF2A0B08
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF27EFE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFDFF27EFE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFF2AA5B4 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FFDFF2AA5B4
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431065 Sample: vulkan-1.dll Startdate: 24/04/2024 Architecture: WINDOWS Score: 6 7 loaddll64.exe 1 2->7         started        process3 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 17 other processes 7->15 process4 17 rundll32.exe 9->17         started        19 WerFault.exe 16 11->19         started        21 WerFault.exe 16 13->21         started        23 WerFault.exe 16 15->23         started        process5 25 WerFault.exe 20 18 17->25         started       
No contacted IP infos