Analysis Report utility.dll

Overview

General Information

Sample Name: utility.dll
Analysis ID: 385485
MD5: c84fd1069470c4f7cbcd9fa10fc32615
SHA1: 94ca6af9cae336754da47e2b8694a1f33db78e89
SHA256: 59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
Infos:

Most interesting Screenshot:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002170 FileEncrypt, 0_2_10002170
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002290 FileDecrypt, 0_2_10002290
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx, 0_2_10004340
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001D30 Encrypt,SysAllocStringLen, 0_2_10001D30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001E50 EncryptEx, 0_2_10001E50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx, 0_2_10003E90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001EB0 DecryptEx, 0_2_10001EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001F10 Decrypt,SysAllocStringLen, 0_2_10001F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001FF0 Decrypt2BinStr, 0_2_10001FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002170 FileEncrypt, 3_2_10002170
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002290 FileDecrypt, 3_2_10002290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx, 3_2_10004340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001D30 Encrypt,SysAllocStringLen, 3_2_10001D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001E50 EncryptEx, 3_2_10001E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx, 3_2_10003E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001EB0 DecryptEx, 3_2_10001EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001F10 Decrypt,SysAllocStringLen, 3_2_10001F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001FF0 Decrypt2BinStr, 3_2_10001FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10002170 FileEncrypt, 33_2_10002170
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10002290 FileDecrypt, 33_2_10002290
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx, 33_2_10004340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10001D30 Encrypt,SysAllocStringLen, 33_2_10001D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10001E50 EncryptEx, 33_2_10001E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx, 33_2_10003E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10001EB0 DecryptEx, 33_2_10001EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10001F10 Decrypt,SysAllocStringLen, 33_2_10001F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10001FF0 Decrypt2BinStr, 33_2_10001FF0

Compliance:

barindex
Uses 32bit PE files
Source: utility.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: utility.dll Static PE information: certificate valid
Source: unknown DNS traffic detected: queries for: clientconfig.passport.net
Source: utility.dll String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: utility.dll String found in binary or memory: http://ocsp.thawte.com0
Source: utility.dll String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: utility.dll String found in binary or memory: http://t2.symcb.com0
Source: utility.dll String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: utility.dll String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: utility.dll String found in binary or memory: http://tl.symcd.com0&
Source: utility.dll String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: utility.dll String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: utility.dll String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: utility.dll String found in binary or memory: https://www.thawte.com/cps0/
Source: utility.dll String found in binary or memory: https://www.thawte.com/repository0

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10005830 0_2_10005830
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100120C0 0_2_100120C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013160 0_2_10013160
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001E96D 0_2_1001E96D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100019D0 0_2_100019D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100151D2 0_2_100151D2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B9E0 0_2_1000B9E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10011A80 0_2_10011A80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B390 0_2_1000B390
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100143C1 0_2_100143C1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009400 0_2_10009400
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000BC30 0_2_1000BC30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10011470 0_2_10011470
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10018507 0_2_10018507
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10014D10 0_2_10014D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10015D40 0_2_10015D40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10015590 0_2_10015590
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10014610 0_2_10014610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000BE90 0_2_1000BE90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000B6E0 0_2_1000B6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002F80 0_2_10002F80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013790 0_2_10013790
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10010FC0 0_2_10010FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000AFF0 0_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100019D0 3_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10005830 3_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100120C0 3_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013160 3_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001E96D 3_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100151D2 3_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B9E0 3_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011A80 3_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B390 3_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100143C1 3_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10009400 3_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BC30 3_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011470 3_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018507 3_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014D10 3_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10015D40 3_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10015590 3_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014610 3_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BE90 3_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B6E0 3_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002F80 3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013790 3_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010FC0 3_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000AFF0 3_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10005830 33_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_100120C0 33_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10013160 33_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1001E96D 33_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_100019D0 33_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_100151D2 33_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000B9E0 33_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10011A80 33_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000B390 33_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_100143C1 33_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10009400 33_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000BC30 33_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10011470 33_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10018507 33_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10014D10 33_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10015D40 33_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10015590 33_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10014610 33_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000BE90 33_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000B6E0 33_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10002F80 33_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10013790 33_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10010FC0 33_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1000AFF0 33_2_1000AFF0
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688
Uses 32bit PE files
Source: utility.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engine Classification label: clean8.winDLL@51/32@1/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4120
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6220
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess460
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4928
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess908
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5436
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5988
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1268
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60F.tmp Jump to behavior
Source: utility.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\win.ini
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 696
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 688
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 Jump to behavior
Source: utility.dll Static PE information: certificate valid

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_100078C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10016730 push eax; ret 0_2_1001675E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10016730 push eax; ret 3_2_1001675E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10016730 push eax; ret 33_2_1001675E

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000CA50 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_1000CA50
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100019D0 rdtsc 0_2_100019D0
Contains functionality to query network adapater information
Source: C:\Windows\System32\loaddll32.exe Code function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree, 0_2_10006DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree, 3_2_10006DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree, 33_2_10006DB0
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.9 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100019D0 rdtsc 0_2_100019D0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100019D0 CPUSpeed,LdrInitializeThunk,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,GetThreadPriority,SetThreadPriority,QueryPerformanceCounter,QueryPerformanceCounter,SetThreadPriority, 3_2_100019D0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_100078C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000ABF0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle, 0_2_1000ABF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001C4FB SetUnhandledExceptionFilter, 0_2_1001C4FB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001C50D SetUnhandledExceptionFilter, 0_2_1001C50D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001C4FB SetUnhandledExceptionFilter, 3_2_1001C4FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001C50D SetUnhandledExceptionFilter, 3_2_1001C50D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1001C4FB SetUnhandledExceptionFilter, 33_2_1001C4FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_1001C50D SetUnhandledExceptionFilter, 33_2_1001C50D

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx, 0_2_10003E90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001D1A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_1001D1A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10017756 GetVersion,GetCommandLineA, 0_2_10017756

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 0_2_10004A80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 0_2_10004B60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004D70 ServerIsListening, 0_2_10004D70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket, 0_2_10004DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 3_2_10004A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 3_2_10004B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004D70 ServerIsListening, 3_2_10004D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket, 3_2_10004DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 33_2_10004A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup, 33_2_10004B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10004D70 ServerIsListening, 33_2_10004D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 33_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket, 33_2_10004DE0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385485 Sample: utility.dll Startdate: 12/04/2021 Architecture: WINDOWS Score: 8 34 clientconfig.passport.net 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 11 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 9 12->20         started        22 WerFault.exe 6 9 14->22         started        24 WerFault.exe 9 16->24         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 16->28         started        30 2 other processes 16->30 process6 32 WerFault.exe 19 11 18->32         started       
No contacted IP infos

Contacted Domains

Name IP Active
clientconfig.passport.net unknown unknown