Windows Analysis Report
QualityUpdateAssistant.dll

Overview

General Information

Sample name: QualityUpdateAssistant.dll
Analysis ID: 1432032
MD5: 873fca43ec90d167a4244c9867989030
SHA1: ab368df3c3e152c4efcb2ffc09c4870743d360f3
SHA256: a07d18fed2517e314e001a98b0d3342f27951338e78096a61c3a5a3eb32e3397
Infos:

Detection

Score: 11
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90D34B0 CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,CryptAcquireContextW,CryptCreateHash,CryptHashData,UnmapViewOfFile,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle, 3_2_00007FF8B90D34B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90CE310 CryptStringToBinaryW,memcmp, 3_2_00007FF8B90CE310
Source: QualityUpdateAssistant.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: Binary string: QualityUpdateAssistant.pdb source: rundll32.exe, 00000003.00000002.2121978864.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2121631983.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2122674850.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, QualityUpdateAssistant.dll
Source: Binary string: QualityUpdateAssistant.pdbGCTL source: rundll32.exe, 00000003.00000002.2121978864.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2121631983.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2122674850.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, QualityUpdateAssistant.dll
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C5128 FindFirstFileW,FindNextFileW,FindClose, 3_2_00007FF8B90C5128
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B16E8 PathFileExistsW,GetSystemDirectoryW,GetLastError,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 3_2_00007FF8B90B16E8
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_ef734fa1-f744-4e89-a5e4-a6e6eee6643c\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_f1e2a93da88b32cda8c0398fc0f16d5f7ea571e1_606702e6_15d5ab69-9905-49c3-8179-a8d144bd5245\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90CE0C0 PathFileExistsW,CreateDirectoryW,GetLastError,PathFindFileNameW,URLDownloadToFileW, 3_2_00007FF8B90CE0C0
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C16D4 PowerClearRequest,GetLastError,NtPowerInformation,GetLastError,CloseHandle,SetLastError, 3_2_00007FF8B90C16D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C1514 PowerCreateRequest,GetLastError,CloseHandle,SetLastError,GetLastError,PowerSetRequest,GetLastError,CloseHandle,SetLastError,NtPowerInformation, 3_2_00007FF8B90C1514
Creates files inside the system directory
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\system32\Logs Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90A4D2C 3_2_00007FF8B90A4D2C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90AF744 3_2_00007FF8B90AF744
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90A5A6C 3_2_00007FF8B90A5A6C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B9AF0 3_2_00007FF8B90B9AF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B7AE4 3_2_00007FF8B90B7AE4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90D398C 3_2_00007FF8B90D398C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C99C4 3_2_00007FF8B90C99C4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90ABC04 3_2_00007FF8B90ABC04
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C6C7B 3_2_00007FF8B90C6C7B
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90BEE54 3_2_00007FF8B90BEE54
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90ADEB4 3_2_00007FF8B90ADEB4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90ACD10 3_2_00007FF8B90ACD10
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C607B 3_2_00007FF8B90C607B
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B329F 3_2_00007FF8B90B329F
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90D4110 3_2_00007FF8B90D4110
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90AD450 3_2_00007FF8B90AD450
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90D34B0 3_2_00007FF8B90D34B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C731B 3_2_00007FF8B90C731B
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B53A8 3_2_00007FF8B90B53A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90AA3D9 3_2_00007FF8B90AA3D9
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C9664 3_2_00007FF8B90C9664
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B16E8 3_2_00007FF8B90B16E8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B3878 3_2_00007FF8B90B3878
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90A9749 3_2_00007FF8B90A9749
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FF8B90A3068 appears 74 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FF8B90AFBB8 appears 36 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FF8B90A7C3C appears 48 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FF8B90A594C appears 1074 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FF8B90A4818 appears 298 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7160 -s 516
PE / OLE file has an invalid certificate
Source: QualityUpdateAssistant.dll Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: QualityUpdateAssistant.dll Binary or memory string: OriginalFilenamequalityupdateassistantj% vs QualityUpdateAssistant.dll
Source: classification engine Classification label: clean11.evad.winDLL@14/19@0/0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C5370 GetEnvironmentVariableW,GetDiskFreeSpaceExW,GetLastError, 3_2_00007FF8B90C5370
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C5950 CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantClear, 3_2_00007FF8B90C5950
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7160
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6456
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6548
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3876
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ecb409bf-f25b-4a39-8b08-363364220828 Jump to behavior
Source: QualityUpdateAssistant.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\QualityUpdateAssistant.dll,Execute
Source: rundll32.exe String found in binary or memory: \System32\dism.exe /online /norestart /add-package /packagepath:
Source: rundll32.exe String found in binary or memory: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>true</RestartOnIdle> </IdleSettings> <RestartOnFailure> <Interval>PT5M</Interval> <Cou
Source: rundll32.exe String found in binary or memory: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>true</RestartOnIdle> </IdleSettings> <RestartOnFailure> <Interval>PT5M</Interval> <Cou
Source: rundll32.exe String found in binary or memory: ew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable>
Source: rundll32.exe String found in binary or memory: ew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable>
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\QualityUpdateAssistant.dll,Execute
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7160 -s 516
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3876 -s 516
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",Execute
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6548 -s 508
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6456 -s 488
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\QualityUpdateAssistant.dll,Execute Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",Execute Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: QualityUpdateAssistant.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: QualityUpdateAssistant.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: QualityUpdateAssistant.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: QualityUpdateAssistant.pdb source: rundll32.exe, 00000003.00000002.2121978864.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2121631983.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2122674850.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, QualityUpdateAssistant.dll
Source: Binary string: QualityUpdateAssistant.pdbGCTL source: rundll32.exe, 00000003.00000002.2121978864.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2121631983.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.2122674850.00007FF8B90DF000.00000002.00000001.01000000.00000003.sdmp, QualityUpdateAssistant.dll
Source: QualityUpdateAssistant.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QualityUpdateAssistant.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QualityUpdateAssistant.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QualityUpdateAssistant.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QualityUpdateAssistant.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: QualityUpdateAssistant.dll Static PE information: 0xC5977AAD [Fri Jan 18 12:08:13 2075 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B3878 memset,GetModuleFileNameW,PathRemoveFileSpecW,GetLastError,GetLastError,GetLastError,PathFileExistsW,SHGetSpecialFolderPathW,PathFileExistsW,GetLastError,RegCloseKey,SetLastError,RegOpenKeyExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCloseKey, 3_2_00007FF8B90B3878
PE file contains an invalid checksum
Source: QualityUpdateAssistant.dll Static PE information: real checksum: 0x7eabc should be: 0x7eab4
PE file contains sections with non-standard names
Source: QualityUpdateAssistant.dll Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C880E pushfq ; retf 3_2_00007FF8B90C881B
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 5656 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B69E8 GetSystemTimeAsFileTime followed by cmp: cmp ecx, 01h and CTI: jne 00007FF8B90B6BE2h 3_2_00007FF8B90B69E8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C5128 FindFirstFileW,FindNextFileW,FindClose, 3_2_00007FF8B90C5128
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B16E8 PathFileExistsW,GetSystemDirectoryW,GetLastError,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 3_2_00007FF8B90B16E8
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_ef734fa1-f744-4e89-a5e4-a6e6eee6643c\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_f1e2a93da88b32cda8c0398fc0f16d5f7ea571e1_606702e6_15d5ab69-9905-49c3-8179-a8d144bd5245\ Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90A657C GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 3_2_00007FF8B90A657C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90B3878 memset,GetModuleFileNameW,PathRemoveFileSpecW,GetLastError,GetLastError,GetLastError,PathFileExistsW,SHGetSpecialFolderPathW,PathFileExistsW,GetLastError,RegCloseKey,SetLastError,RegOpenKeyExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCloseKey, 3_2_00007FF8B90B3878
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90A4D2C _vsnwprintf,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_00007FF8B90A4D2C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90DAFDC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF8B90DAFDC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90DA6A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF8B90DA6A4
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90C4AD0 GetSystemTime,SystemTimeToFileTime,GetLastError, 3_2_00007FF8B90C4AD0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FF8B90D6C88 memset,GetVersionExA,GetLastError, 3_2_00007FF8B90D6C88
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432032 Sample: QualityUpdateAssistant.dll Startdate: 26/04/2024 Architecture: WINDOWS Score: 11 7 loaddll64.exe 1 2->7         started        process3 9 cmd.exe 1 7->9         started        11 rundll32.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process4 17 rundll32.exe 9->17         started        19 WerFault.exe 18 11->19         started        21 WerFault.exe 16 13->21         started        process5 23 WerFault.exe 20 16 17->23         started       
No contacted IP infos