Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll
Analysis ID: 1431433
MD5: 6528055bc2fa49ae0cd65d2ffbbffc2f
SHA1: d61bd08ebe3cadc025c2855408df2ea5cf333079
SHA256: d52c8e88917ca1759d156deaeb46a64e1102a59c3617bba32f652a60afe75cf5
Tags: dll
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Virustotal: Detection: 48% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: wgdi32.pdbUGP source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source: Binary string: wntdll.pdbUGP source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source: Binary string: wntdll.pdb source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source: Binary string: wuser32.pdb source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr
Source: Binary string: wgdi32.pdb source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source: Binary string: wuser32.pdbUGP source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003C600 FindFirstFileA,FindClose, 6_2_1003C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1002A220 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 6_2_1002A220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10034440 FindNextFileA,FindClose,FindFirstFileA,FindClose, 6_2_10034440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007C5DB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 6_2_1007C5DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10047170 ioctlsocket,recv,recv, 6_2_10047170
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://68862320bb.d131.tqxq.com/kdc/banben.txt2.5
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://68862320bb.d131.tqxq.com/kdc/dqgg.txt
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://item.taobao.com/item.htm?id=36149830965
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://item.taobao.com/item.htm?id=36149830965http://item.taobao.com/item.htm?id=36151081551http://s
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://item.taobao.com/item.htm?id=36151057950
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://item.taobao.com/item.htm?id=36151081551
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://s.taobao.com/search?initiative_id=staobaoz_20131120&jc=1&q=%C2%E5%C6%E6%D3%A2%D0%DB%B4%AB%D0%
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://s.taobao.com/search?q=%C2%E5%C6%E6%D3%A2%D0%DB%B4%AB%D0%FD%B7%E7%B8%A8%D6%FA&searcy_type=item
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://s.taobao.com/search?q=%D0%FD%B7%E7%CD%F8%C2%E7%C1%AA%C3%CB%A2%DA&app=shopsearch5
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://www.99tianji.com/w55
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1004FE50 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_1004FE50
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1004FE50 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_1004FE50
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1004FFA0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard, 6_2_1004FFA0
Installs a raw input device (often for capturing keystrokes)
Source: 6ea267.tmp.14.dr Binary or memory string: GetRawInputData memstr_2ce67c2f-6
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007F18E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 6_2_1007F18E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1004E6B0 GetKeyState,GetKeyState,GetKeyState,CopyRect, 6_2_1004E6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003C7B0 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 6_2_1003C7B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003AB00 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow, 6_2_1003AB00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10080D45 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 6_2_10080D45
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10017C47 NtQueryInformationProcess, 6_2_10017C47
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100450C0 6_2_100450C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006D770 6_2_1006D770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10067A50 6_2_10067A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10077AE0 6_2_10077AE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10035F30 6_2_10035F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10074106 6_2_10074106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007E42F 6_2_1007E42F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100328B0 6_2_100328B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003EA10 6_2_1003EA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10058A10 6_2_10058A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10034A60 6_2_10034A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1004AB70 6_2_1004AB70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10056BB0 6_2_10056BB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003CE70 6_2_1003CE70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10066FB0 6_2_10066FB0
Enables driver privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Load Driver Jump to behavior
Enables security privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1006D2AF appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1007D4F0 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1006DCA4 appears 94 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 808
PE file contains executable resources (Code or Archives)
Source: 6e9feb.tmp.2.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9c29.tmp.2.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9da3.tmp.2.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9ecf.tmp.2.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e92c9.tmp.6.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e8fb6.tmp.6.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e913f.tmp.6.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e9491.tmp.6.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e924c.tmp.7.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e93e5.tmp.7.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e8fa6.tmp.7.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6e90f1.tmp.7.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea10b.tmp.14.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea1f8.tmp.14.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea2d6.tmp.14.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 6ea402.tmp.14.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
PE file does not import any functions
Source: 6e8fa6.tmp.7.dr Static PE information: No import functions for PE file found
Source: 6e93e5.tmp.7.dr Static PE information: No import functions for PE file found
Source: 6e90f1.tmp.7.dr Static PE information: No import functions for PE file found
Source: 6ea2d6.tmp.14.dr Static PE information: No import functions for PE file found
Source: 6e92c9.tmp.6.dr Static PE information: No import functions for PE file found
Source: 6e9c29.tmp.2.dr Static PE information: No import functions for PE file found
Source: 6e924c.tmp.7.dr Static PE information: No import functions for PE file found
Source: 6e8fb6.tmp.6.dr Static PE information: No import functions for PE file found
Source: 6e9da3.tmp.2.dr Static PE information: No import functions for PE file found
Source: 6ea1f8.tmp.14.dr Static PE information: No import functions for PE file found
Source: 6e9ecf.tmp.2.dr Static PE information: No import functions for PE file found
Source: 6ea402.tmp.14.dr Static PE information: No import functions for PE file found
Source: 6e9feb.tmp.2.dr Static PE information: No import functions for PE file found
Source: 6ea10b.tmp.14.dr Static PE information: No import functions for PE file found
Source: 6e9491.tmp.6.dr Static PE information: No import functions for PE file found
Source: 6e913f.tmp.6.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 6e9ecf.tmp.2.dr Binary string: \Device\IPT[
Source: classification engine Classification label: mal64.evad.winDLL@13/61@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100213B0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,MulDiv, 6_2_100213B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007F644 FindResourceA,LoadResource,LockResource, 6_2_1007F644
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5544
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5884
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9c29.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Virustotal: Detection: 48%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 808
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 800
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll", DLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 872
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, DLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll", DLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exe Window detected: Number of UI elements: 20
Source: C:\Windows\SysWOW64\rundll32.exe Window detected: Number of UI elements: 20
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Static file information: File size 1313056 > 1048576
Source: Binary string: wgdi32.pdbUGP source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source: Binary string: wntdll.pdbUGP source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source: Binary string: wntdll.pdb source: 6e93e5.tmp.7.dr, 6ea1f8.tmp.14.dr, 6e9c29.tmp.2.dr, 6e924c.tmp.7.dr, 6e90f1.tmp.7.dr, 6ea2d6.tmp.14.dr, 6e8fa6.tmp.7.dr, 6e9ecf.tmp.2.dr
Source: Binary string: wuser32.pdb source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr
Source: Binary string: wgdi32.pdb source: loaddll32.exe, 00000002.00000003.1345228328.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1347663473.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1339182709.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000002.00000003.1342158891.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315072879.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321885815.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1681788063.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1316161195.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1321297230.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1314214773.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1315166483.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1319791841.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1307539655.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1314012323.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1310055446.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1307060024.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1317480969.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1352799164.0000000003410000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1355201068.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1359058753.0000000003422000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1349835454.0000000003410000.00000004.00000020.00020000.00000000.sdmp, 6e90c1.tmp.7.dr, 6ea089.tmp.2.dr, 6ea2a6.tmp.14.dr, 6ea3c3.tmp.14.dr, 6e93e4.tmp.6.dr, 6e91ce.tmp.7.dr, 6e9386.tmp.7.dr, 6ea4ee.tmp.14.dr
Source: Binary string: wuser32.pdbUGP source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr, 6e9385.tmp.6.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007F961 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 6_2_1007F961
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll Static PE information: section name: .vmp0
Source: 6e9feb.tmp.2.dr Static PE information: section name: RT
Source: 6e9feb.tmp.2.dr Static PE information: section name: .mrdata
Source: 6e9feb.tmp.2.dr Static PE information: section name: .00cfg
Source: 6ea04a.tmp.2.dr Static PE information: section name: .didat
Source: 6ea089.tmp.2.dr Static PE information: section name: .didat
Source: 6e9c29.tmp.2.dr Static PE information: section name: RT
Source: 6e9c29.tmp.2.dr Static PE information: section name: .mrdata
Source: 6e9c29.tmp.2.dr Static PE information: section name: .00cfg
Source: 6e9cf5.tmp.2.dr Static PE information: section name: .didat
Source: 6e9d64.tmp.2.dr Static PE information: section name: .didat
Source: 6e9da3.tmp.2.dr Static PE information: section name: RT
Source: 6e9da3.tmp.2.dr Static PE information: section name: .mrdata
Source: 6e9da3.tmp.2.dr Static PE information: section name: .00cfg
Source: 6e9e02.tmp.2.dr Static PE information: section name: .didat
Source: 6e9e80.tmp.2.dr Static PE information: section name: .didat
Source: 6e9ecf.tmp.2.dr Static PE information: section name: RT
Source: 6e9ecf.tmp.2.dr Static PE information: section name: .mrdata
Source: 6e9ecf.tmp.2.dr Static PE information: section name: .00cfg
Source: 6e9f5d.tmp.2.dr Static PE information: section name: .didat
Source: 6e9fbb.tmp.2.dr Static PE information: section name: .didat
Source: 6e91bd.tmp.6.dr Static PE information: section name: .didat
Source: 6e927a.tmp.6.dr Static PE information: section name: .didat
Source: 6e92c9.tmp.6.dr Static PE information: section name: RT
Source: 6e92c9.tmp.6.dr Static PE information: section name: .mrdata
Source: 6e92c9.tmp.6.dr Static PE information: section name: .00cfg
Source: 6e9385.tmp.6.dr Static PE information: section name: .didat
Source: 6e93e4.tmp.6.dr Static PE information: section name: .didat
Source: 6e8fb6.tmp.6.dr Static PE information: section name: RT
Source: 6e8fb6.tmp.6.dr Static PE information: section name: .mrdata
Source: 6e8fb6.tmp.6.dr Static PE information: section name: .00cfg
Source: 6e9024.tmp.6.dr Static PE information: section name: .didat
Source: 6e90f0.tmp.6.dr Static PE information: section name: .didat
Source: 6e913f.tmp.6.dr Static PE information: section name: RT
Source: 6e913f.tmp.6.dr Static PE information: section name: .mrdata
Source: 6e913f.tmp.6.dr Static PE information: section name: .00cfg
Source: 6e9491.tmp.6.dr Static PE information: section name: RT
Source: 6e9491.tmp.6.dr Static PE information: section name: .mrdata
Source: 6e9491.tmp.6.dr Static PE information: section name: .00cfg
Source: 6e95ab.tmp.6.dr Static PE information: section name: .didat
Source: 6e960a.tmp.6.dr Static PE information: section name: .didat
Source: 6e91ce.tmp.7.dr Static PE information: section name: .didat
Source: 6e924c.tmp.7.dr Static PE information: section name: RT
Source: 6e924c.tmp.7.dr Static PE information: section name: .mrdata
Source: 6e924c.tmp.7.dr Static PE information: section name: .00cfg
Source: 6e92ab.tmp.7.dr Static PE information: section name: .didat
Source: 6e9386.tmp.7.dr Static PE information: section name: .didat
Source: 6e93e5.tmp.7.dr Static PE information: section name: RT
Source: 6e93e5.tmp.7.dr Static PE information: section name: .mrdata
Source: 6e93e5.tmp.7.dr Static PE information: section name: .00cfg
Source: 6e8fa6.tmp.7.dr Static PE information: section name: RT
Source: 6e8fa6.tmp.7.dr Static PE information: section name: .mrdata
Source: 6e8fa6.tmp.7.dr Static PE information: section name: .00cfg
Source: 6e9014.tmp.7.dr Static PE information: section name: .didat
Source: 6e90c1.tmp.7.dr Static PE information: section name: .didat
Source: 6e90f1.tmp.7.dr Static PE information: section name: RT
Source: 6e90f1.tmp.7.dr Static PE information: section name: .mrdata
Source: 6e90f1.tmp.7.dr Static PE information: section name: .00cfg
Source: 6e916f.tmp.7.dr Static PE information: section name: .didat
Source: 6e9444.tmp.7.dr Static PE information: section name: .didat
Source: 6e94d1.tmp.7.dr Static PE information: section name: .didat
Source: 6ea10b.tmp.14.dr Static PE information: section name: RT
Source: 6ea10b.tmp.14.dr Static PE information: section name: .mrdata
Source: 6ea10b.tmp.14.dr Static PE information: section name: .00cfg
Source: 6ea15a.tmp.14.dr Static PE information: section name: .didat
Source: 6ea19a.tmp.14.dr Static PE information: section name: .didat
Source: 6ea1f8.tmp.14.dr Static PE information: section name: RT
Source: 6ea1f8.tmp.14.dr Static PE information: section name: .mrdata
Source: 6ea1f8.tmp.14.dr Static PE information: section name: .00cfg
Source: 6ea267.tmp.14.dr Static PE information: section name: .didat
Source: 6ea2a6.tmp.14.dr Static PE information: section name: .didat
Source: 6ea2d6.tmp.14.dr Static PE information: section name: RT
Source: 6ea2d6.tmp.14.dr Static PE information: section name: .mrdata
Source: 6ea2d6.tmp.14.dr Static PE information: section name: .00cfg
Source: 6ea335.tmp.14.dr Static PE information: section name: .didat
Source: 6ea3c3.tmp.14.dr Static PE information: section name: .didat
Source: 6ea402.tmp.14.dr Static PE information: section name: RT
Source: 6ea402.tmp.14.dr Static PE information: section name: .mrdata
Source: 6ea402.tmp.14.dr Static PE information: section name: .00cfg
Source: 6ea451.tmp.14.dr Static PE information: section name: .didat
Source: 6ea4ee.tmp.14.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3172 push edx; mov dword ptr [esp], ebp 6_2_100D3173
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3172 push edi; mov dword ptr [esp], ecx 6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D31F2 push dword ptr [esp+34h]; retn 0038h 6_2_100D3218
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3203 push dword ptr [esp+34h]; retn 0038h 6_2_100D3218
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D541A pushad ; retf 6_2_100D541E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D544C pushfd ; mov dword ptr [esp], 1D1AA032h 6_2_100D5450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D345A push edi; mov dword ptr [esp], ebx 6_2_100D3A97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D547B pushfd ; mov dword ptr [esp], 1D1AA032h 6_2_100D5450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3484 pushfd ; mov dword ptr [esp], ebp 6_2_100D348E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D353A push BF49E822h; mov dword ptr [esp], esp 6_2_100D43F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D35BC pushfd ; mov dword ptr [esp], EAB2D7E3h 6_2_100D35CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D35C8 pushfd ; mov dword ptr [esp], EAB2D7E3h 6_2_100D35CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3936 push edi; mov dword ptr [esp], ecx 6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D397B push dword ptr [esp+58h]; retn 005Ch 6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D39B2 push dword ptr [esp+58h]; retn 005Ch 6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D39E0 push dword ptr [esp+58h]; retn 005Ch 6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3A96 push edi; mov dword ptr [esp], ebx 6_2_100D3A97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3B01 pushfd ; mov dword ptr [esp], esi 6_2_100D3F8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006DCA4 push eax; ret 6_2_1006DCC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3E35 push 5D07112Fh; mov dword ptr [esp], 17937626h 6_2_100D47F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D3E43 pushfd ; mov dword ptr [esp], ebp 6_2_100D3E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D403F push dword ptr [esp+58h]; retn 005Ch 6_2_100D40DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D4134 push DF8CE067h; mov dword ptr [esp], A81949E5h 6_2_100D4139
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D4234 push edi; mov dword ptr [esp], ecx 6_2_100D423A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D45CD push dword ptr [esp+34h]; retn 0038h 6_2_100D460E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D461D push edx; mov dword ptr [esp], 93984BB2h 6_2_100D4623
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100D4611 push edx; mov dword ptr [esp], 93984BB2h 6_2_100D4623
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006CC90 push eax; ret 6_2_1006CCBE
Source: 6e9feb.tmp.2.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9c29.tmp.2.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9da3.tmp.2.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9ecf.tmp.2.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e92c9.tmp.6.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e8fb6.tmp.6.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e913f.tmp.6.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e9491.tmp.6.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e924c.tmp.7.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e93e5.tmp.7.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e8fa6.tmp.7.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6e90f1.tmp.7.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea10b.tmp.14.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea1f8.tmp.14.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea2d6.tmp.14.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 6ea402.tmp.14.dr Static PE information: section name: .text entropy: 6.844715065913507
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9444.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e90f0.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e90f1.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea4ee.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9fbb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea2a6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e91bd.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9c29.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e913f.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e92ab.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e93e4.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e92c9.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea267.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e924c.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea402.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e93e5.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea04a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea10b.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea15a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e94d1.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea089.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9d64.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9385.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9024.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea2d6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e960a.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9da3.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e90c1.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9491.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea451.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9e80.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e927a.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9feb.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9e02.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e8fb6.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9ecf.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea335.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e95ab.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9cf5.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9014.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e916f.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea1f8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea19a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6ea3c3.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e91ce.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9f5d.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e9386.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\6e8fa6.tmp Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006B23D IsIconic,GetWindowPlacement,GetWindowRect, 6_2_1006B23D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10037A70 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu, 6_2_10037A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003BCF0 IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsWindow,ShowWindow, 6_2_1003BCF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10038140 IsIconic,IsZoomed, 6_2_10038140
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100328B0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 6_2_100328B0
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Renames NTDLL to bypass HIPS
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9444.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90f0.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90f1.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea4ee.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9fbb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea2a6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e91bd.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9c29.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e913f.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e92ab.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e93e4.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e92c9.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea267.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e924c.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea402.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e93e5.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea04a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea10b.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea15a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e94d1.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea089.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9d64.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9385.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea2d6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9024.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e960a.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9da3.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e90c1.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea451.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9491.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9e80.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e927a.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9e02.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9feb.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e8fb6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea335.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9ecf.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e95ab.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9cf5.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9014.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e916f.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea1f8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea19a.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6ea3c3.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e91ce.tmp Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9f5d.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e9386.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6e8fa6.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1003C600 FindFirstFileA,FindClose, 6_2_1003C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1002A220 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 6_2_1002A220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10034440 FindNextFileA,FindClose,FindFirstFileA,FindClose, 6_2_10034440
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007C5DB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 6_2_1007C5DB
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1007F961 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 6_2_1007F961
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100179C0 mov esi, dword ptr fs:[00000030h] 6_2_100179C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001E6BF mov ecx, dword ptr fs:[00000030h] 6_2_1001E6BF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10021CF0 GetProcessHeap,RtlAllocateHeap, 6_2_10021CF0
Enables debug privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001797C RtlAddVectoredExceptionHandler, 6_2_1001797C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100767B5 SetUnhandledExceptionFilter, 6_2_100767B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_100767C7 SetUnhandledExceptionFilter, 6_2_100767C7
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll",#1 Jump to behavior
Source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr Binary or memory string: GetProgmanWindow
Source: 6ea267.tmp.14.dr, 6ea451.tmp.14.dr, 6ea335.tmp.14.dr, 6ea15a.tmp.14.dr, 6e91bd.tmp.6.dr, 6e95ab.tmp.6.dr Binary or memory string: SetProgmanWindow
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006E20A GetLocalTime,GetSystemTime,GetTimeZoneInformation, 6_2_1006E20A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1006E20A GetLocalTime,GetSystemTime,GetTimeZoneInformation, 6_2_1006E20A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1008636B GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 6_2_1008636B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431433 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 25/04/2024 Architecture: WINDOWS Score: 64 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 8 loaddll32.exe 13 2->8         started        process3 file4 40 C:\Users\user\AppData\Local\Temp\6ea089.tmp, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\6ea04a.tmp, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\Temp\6e9feb.tmp, PE32 8->44 dropped 46 9 other files (none is malicious) 8->46 dropped 72 Renames NTDLL to bypass HIPS 8->72 12 cmd.exe 1 8->12         started        14 rundll32.exe 12 8->14         started        18 rundll32.exe 12 8->18         started        20 conhost.exe 8->20         started        signatures5 process6 file7 22 rundll32.exe 12 12->22         started        48 C:\Users\user\AppData\Local\Temp\6e960a.tmp, PE32 14->48 dropped 50 C:\Users\user\AppData\Local\Temp\6e95ab.tmp, PE32 14->50 dropped 52 C:\Users\user\AppData\Local\Temp\6e9491.tmp, PE32 14->52 dropped 60 9 other files (none is malicious) 14->60 dropped 74 Renames NTDLL to bypass HIPS 14->74 26 WerFault.exe 16 14->26         started        54 C:\Users\user\AppData\Local\Temp\6ea4ee.tmp, PE32 18->54 dropped 56 C:\Users\user\AppData\Local\Temp\6ea451.tmp, PE32 18->56 dropped 58 C:\Users\user\AppData\Local\Temp\6ea402.tmp, PE32 18->58 dropped 62 9 other files (none is malicious) 18->62 dropped 28 WerFault.exe 3 16 18->28         started        signatures8 process9 file10 32 C:\Users\user\AppData\Local\Temp\6e94d1.tmp, PE32 22->32 dropped 34 C:\Users\user\AppData\Local\Temp\6e9444.tmp, PE32 22->34 dropped 36 C:\Users\user\AppData\Local\Temp\6e93e5.tmp, PE32 22->36 dropped 38 9 other files (none is malicious) 22->38 dropped 70 Renames NTDLL to bypass HIPS 22->70 30 WerFault.exe 20 16 22->30         started        signatures11 process12
No contacted IP infos