Windows Analysis Report a4vEYL53cZ

Overview

General Information

Sample Name: a4vEYL53cZ (renamed file extension from none to dll)
Analysis ID: 492636
MD5: d49772c85d426ce5fe41cf8c5529a5ff
SHA1: 4eaa4a005cd6825706634cf5fb9b95c4f546778e
SHA256: 73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
PE file has nameless sections
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains capabilities to detect virtual machines
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: a4vEYL53cZ.dll Virustotal: Detection: 55% Perma Link
Source: a4vEYL53cZ.dll Metadefender: Detection: 51% Perma Link
Source: a4vEYL53cZ.dll ReversingLabs: Detection: 60%
Source: a4vEYL53cZ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000003.268961827.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.246270161.000001ED8CDD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.248277823.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.255454782.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.262717855.0000000180000000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000003.268961827.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.246270161.000001ED8CDD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.248277823.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.255454782.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.262717855.0000000180000000.00000004.00000001.sdmp
Source: Binary string: FGT7t.pdb source: a4vEYL53cZ.dll
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004FBF8 FindFirstFileExW, 0_2_000000014004FBF8
Source: explorer.exe, 0000000A.00000003.328616920.0000000004C67000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000019.00000000.382237387.0000000003339000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.co/1
Source: explorer.exe, 00000019.00000000.382237387.0000000003339000.00000004.00000001.sdmp String found in binary or memory: http://purl.or
Source: explorer.exe, 00000005.00000000.272918660.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

System Summary:

barindex
PE file has nameless sections
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B0C8 0_2_000000014003B0C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003F0FC 0_2_000000014003F0FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400421C8 0_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400431CC 0_2_00000001400431CC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400504E4 0_2_00000001400504E4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A688 0_2_000000014003A688
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004271C 0_2_000000014004271C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400447B8 0_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140027954 0_2_0000000140027954
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053AF0 0_2_0000000140053AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140045BE0 0_2_0000000140045BE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003BCE4 0_2_000000014003BCE4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004ED58 0_2_000000014004ED58
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026FF0 0_2_0000000140026FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019054 0_2_0000000140019054
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001C05C 0_2_000000014001C05C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005078 0_2_0000000140005078
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053094 0_2_0000000140053094
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400330C4 0_2_00000001400330C4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400380D0 0_2_00000001400380D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063102 0_2_0000000140063102
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140052110 0_2_0000000140052110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001311C 0_2_000000014001311C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001154 0_2_0000000140001154
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400311B0 0_2_00000001400311B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400021C8 0_2_00000001400021C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400231DC 0_2_00000001400231DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006D1F0 0_2_000000014006D1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032214 0_2_0000000140032214
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A214 0_2_000000014002A214
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E228 0_2_000000014002E228
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035268 0_2_0000000140035268
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046264 0_2_0000000140046264
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069278 0_2_0000000140069278
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F278 0_2_000000014002F278
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004B288 0_2_000000014004B288
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140068292 0_2_0000000140068292
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400362A0 0_2_00000001400362A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400172A8 0_2_00000001400172A8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E2E4 0_2_000000014001E2E4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029320 0_2_0000000140029320
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000732C 0_2_000000014000732C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002C348 0_2_000000014002C348
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140038424 0_2_0000000140038424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B428 0_2_000000014006B428
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005343C 0_2_000000014005343C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005B470 0_2_000000014005B470
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F4C8 0_2_000000014004F4C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001B52C 0_2_000000014001B52C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026540 0_2_0000000140026540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140044584 0_2_0000000140044584
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140061598 0_2_0000000140061598
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004759C 0_2_000000014004759C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400215FC 0_2_00000001400215FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140051620 0_2_0000000140051620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032648 0_2_0000000140032648
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053644 0_2_0000000140053644
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067663 0_2_0000000140067663
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001A66C 0_2_000000014001A66C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003C6B0 0_2_000000014003C6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D6C4 0_2_000000014001D6C4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400356F4 0_2_00000001400356F4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F708 0_2_000000014004F708
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024718 0_2_0000000140024718
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001276C 0_2_000000014001276C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000F76C 0_2_000000014000F76C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056790 0_2_0000000140056790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400557DC 0_2_00000001400557DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057820 0_2_0000000140057820
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003E8E0 0_2_000000014003E8E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400258FC 0_2_00000001400258FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C8FC 0_2_000000014005C8FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006D904 0_2_000000014006D904
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005918 0_2_0000000140005918
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140020924 0_2_0000000140020924
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140068928 0_2_0000000140068928
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031928 0_2_0000000140031928
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019928 0_2_0000000140019928
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024940 0_2_0000000140024940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D95C 0_2_000000014002D95C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032964 0_2_0000000140032964
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005497C 0_2_000000014005497C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033984 0_2_0000000140033984
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400479E0 0_2_00000001400479E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CA14 0_2_000000014002CA14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006BA1C 0_2_000000014006BA1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002A20 0_2_0000000140002A20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026A24 0_2_0000000140026A24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AA90 0_2_000000014002AA90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005AB8 0_2_0000000140005AB8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001CAC8 0_2_000000014001CAC8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006AAD8 0_2_000000014006AAD8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024AEC 0_2_0000000140024AEC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140041AF4 0_2_0000000140041AF4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002BB18 0_2_000000014002BB18
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000EB3C 0_2_000000014000EB3C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140014B68 0_2_0000000140014B68
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001B74 0_2_0000000140001B74
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB7A 0_2_000000014002AB7A
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB7F 0_2_000000014002AB7F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB84 0_2_000000014002AB84
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006B88 0_2_0000000140006B88
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB89 0_2_000000014002AB89
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB8E 0_2_000000014002AB8E
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB93 0_2_000000014002AB93
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB98 0_2_000000014002AB98
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AB9D 0_2_000000014002AB9D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002ABA2 0_2_000000014002ABA2
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002ABA7 0_2_000000014002ABA7
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001DBB8 0_2_000000014001DBB8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BBC4 0_2_000000014000BBC4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140003BE0 0_2_0000000140003BE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034BF8 0_2_0000000140034BF8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140050BF4 0_2_0000000140050BF4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016BFC 0_2_0000000140016BFC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005ABFC 0_2_000000014005ABFC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036C08 0_2_0000000140036C08
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029C1C 0_2_0000000140029C1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026C30 0_2_0000000140026C30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003CC38 0_2_000000014003CC38
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035C80 0_2_0000000140035C80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022C84 0_2_0000000140022C84
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032CC8 0_2_0000000140032CC8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004CCD4 0_2_000000014004CCD4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015D04 0_2_0000000140015D04
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001AD0C 0_2_000000014001AD0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140037D24 0_2_0000000140037D24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001CD24 0_2_000000014001CD24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005CD24 0_2_000000014005CD24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001FD44 0_2_000000014001FD44
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140052D60 0_2_0000000140052D60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000AD5C 0_2_000000014000AD5C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003DDA4 0_2_000000014003DDA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140050DA8 0_2_0000000140050DA8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005CDAB 0_2_000000014005CDAB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030DC0 0_2_0000000140030DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140051DE4 0_2_0000000140051DE4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018DE8 0_2_0000000140018DE8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006BE28 0_2_000000014006BE28
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006E34 0_2_0000000140006E34
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AE48 0_2_000000014002AE48
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140068E58 0_2_0000000140068E58
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001EE68 0_2_000000014001EE68
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140004E68 0_2_0000000140004E68
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000CEAC 0_2_000000014000CEAC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140011EB4 0_2_0000000140011EB4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140014EBC 0_2_0000000140014EBC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140013ED4 0_2_0000000140013ED4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057FA8 0_2_0000000140057FA8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005CFCA 0_2_000000014005CFCA
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140047FCC 0_2_0000000140047FCC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025FD4 0_2_0000000140025FD4
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003F0FC CreateFileMappingW,NtDuplicateObject,NtDuplicateObject, 0_2_000000014003F0FC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003F348 NtDuplicateObject, 0_2_000000014003F348
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003F3EC NtDuplicateObject, 0_2_000000014003F3EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400455F8 NtAllocateVirtualMemory, 0_2_00000001400455F8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140059688 NtTerminateProcess, 0_2_0000000140059688
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004386C NtDelayExecution, 0_2_000000014004386C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048B2C NtCreateMutant, 0_2_0000000140048B2C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003BCE4 NtDuplicateObject, 0_2_000000014003BCE4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140049CF8 NtClose, 0_2_0000000140049CF8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140028E60 NtDuplicateObject, 0_2_0000000140028E60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140028EF8 NtDuplicateObject,NtDuplicateObject, 0_2_0000000140028EF8
PE file contains executable resources (Code or Archives)
Source: a4vEYL53cZ.dll Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: a4vEYL53cZ.dll Binary or memory string: OriginalFilenameTeltwFoo.exe2 vs a4vEYL53cZ.dll
PE file contains strange resources
Source: a4vEYL53cZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: a4vEYL53cZ.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: a4vEYL53cZ.dll Static PE information: Number of sections : 28 > 10
Source: a4vEYL53cZ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: a4vEYL53cZ.dll Virustotal: Detection: 55%
Source: a4vEYL53cZ.dll Metadefender: Detection: 51%
Source: a4vEYL53cZ.dll ReversingLabs: Detection: 60%
Source: a4vEYL53cZ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\a4vEYL53cZ.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db Jump to behavior
Source: classification engine Classification label: mal56.evad.winDLL@17/1@0/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003F498 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next, 0_2_000000014003F498
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: a4vEYL53cZ.dll Static PE information: More than 4320 > 100 exports found
Source: a4vEYL53cZ.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: a4vEYL53cZ.dll Static file information: File size 1368064 > 1048576
Source: a4vEYL53cZ.dll Static PE information: section name: RT_CURSOR
Source: a4vEYL53cZ.dll Static PE information: section name: RT_BITMAP
Source: a4vEYL53cZ.dll Static PE information: section name: RT_ICON
Source: a4vEYL53cZ.dll Static PE information: section name: RT_MENU
Source: a4vEYL53cZ.dll Static PE information: section name: RT_DIALOG
Source: a4vEYL53cZ.dll Static PE information: section name: RT_STRING
Source: a4vEYL53cZ.dll Static PE information: section name: RT_ACCELERATOR
Source: a4vEYL53cZ.dll Static PE information: section name: RT_GROUP_ICON
Source: a4vEYL53cZ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: a4vEYL53cZ.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000003.268961827.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.246270161.000001ED8CDD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.248277823.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.255454782.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.262717855.0000000180000000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000003.268961827.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.246270161.000001ED8CDD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.248277823.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.255454782.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.262717855.0000000180000000.00000004.00000001.sdmp
Source: Binary string: FGT7t.pdb source: a4vEYL53cZ.dll

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006E5C9 push 00000031h; retf 0_2_000000014006E5CB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006E6A4 push rsp; retf 0_2_000000014006E6A5
PE file contains sections with non-standard names
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
Source: a4vEYL53cZ.dll Static PE information: section name:
PE file contains an invalid checksum
Source: a4vEYL53cZ.dll Static PE information: real checksum: 0x70461819 should be: 0x15505c
Source: initial sample Static PE information: section name: .text entropy: 7.84727441246

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 4084 Thread sleep count: 999 > 30 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 4084 Thread sleep time: -99900s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 4084 Thread sleep time: -60000s >= -30000s Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\loaddll64.exe Window / User API: threadDelayed 999 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 1092 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 1000 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 1099 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 880 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400447B8 GetTokenInformation,GetTokenInformation,GetSystemInfo, 0_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004FBF8 FindFirstFileExW, 0_2_000000014004FBF8
Source: explorer.exe, 00000005.00000000.260886095.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.260886095.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000000.345846492.000000000493C000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001F.00000003.430238443.000000000719F000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.281080497.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000019.00000000.379668581.0000000001217000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000P
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000029.00000000.534217878.0000000000DF8000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001F.00000000.419293886.00000000012D7000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000005.00000000.261307630.0000000008C73000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>,
Source: explorer.exe, 00000019.00000003.398067553.0000000006DAB000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F^
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}puter._->
Source: explorer.exe, 00000014.00000000.341947116.0000000000CC7000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000y
Source: explorer.exe, 00000005.00000000.282423874.0000000008D81000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.470500936.0000000001006000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e-,
Source: explorer.exe, 00000029.00000000.534217878.0000000000DF8000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.281080497.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000005.00000000.260975284.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000005.00000000.273163225.00000000069C6000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000A.00000003.329728980.0000000004CA5000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:s
Source: explorer.exe, 0000000A.00000003.329052348.0000000004B3B000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\N-
Source: explorer.exe, 00000014.00000000.341947116.0000000000CC7000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}K
Source: explorer.exe, 00000019.00000000.379668581.0000000001217000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400421C8 LdrLoadDll, 0_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140045800 RtlAddVectoredExceptionHandler, 0_2_0000000140045800

HIPS / PFW / Operating System Protection Evasion:

barindex
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\loaddll64.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a4vEYL53cZ.dll',#1 Jump to behavior
Source: explorer.exe, 00000005.00000000.268809773.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000014.00000003.340451395.00000000050E9000.00000004.00000001.sdmp Binary or memory string: ProgmanH
Source: rundll32.exe, 00000006.00000002.778909245.000002B522320000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.779015031.000002C96D870000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.296780271.0000000001600000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.343068264.0000000001510000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.380841719.00000000017D0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.779972207.000001ED8D260000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.268809773.0000000001400000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.778909245.000002B522320000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.779015031.000002C96D870000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.299525111.0000000005007000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.349730646.00000000051F0000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.380841719.00000000017D0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.427551817.0000000005640000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.476541398.00000000017E0000.00000002.00020000.sdmp, explorer.exe, 00000029.00000000.536121227.0000000001450000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.779972207.000001ED8D260000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.268809773.0000000001400000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.778909245.000002B522320000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.779015031.000002C96D870000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.296365590.0000000001018000.00000004.00000020.sdmp, explorer.exe, 00000014.00000000.349730646.00000000051F0000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.380841719.00000000017D0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.427551817.0000000005640000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.476541398.00000000017E0000.00000002.00020000.sdmp, explorer.exe, 00000029.00000000.547487382.0000000004D35000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.341947116.0000000000CC7000.00000004.00000020.sdmp Binary or memory string: Progmank
Source: explorer.exe, 00000029.00000000.536121227.0000000001450000.00000002.00020000.sdmp Binary or memory string: kProgram Manager^
Source: explorer.exe, 0000001F.00000000.420844332.0000000001840000.00000002.00020000.sdmp Binary or memory string: nProgram Manager_
Source: explorer.exe, 00000019.00000003.380500216.0000000004D00000.00000004.00000001.sdmp Binary or memory string: Progmans (x86)\
Source: explorer.exe, 00000029.00000000.547294508.0000000004CB0000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndN
Source: explorer.exe, 00000029.00000000.534217878.0000000000DF8000.00000004.00000020.sdmp Binary or memory string: Progman_^
Source: rundll32.exe, 00000003.00000002.779972207.000001ED8D260000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.268809773.0000000001400000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.778909245.000002B522320000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.779015031.000002C96D870000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.296780271.0000000001600000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.343068264.0000000001510000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.380841719.00000000017D0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.420844332.0000000001840000.00000002.00020000.sdmp, explorer.exe, 00000024.00000000.476541398.00000000017E0000.00000002.00020000.sdmp, explorer.exe, 00000029.00000000.536121227.0000000001450000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.251799118.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000001F.00000000.425141362.0000000005280000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndKa
Source: explorer.exe, 00000014.00000000.348487421.0000000005040000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndI
Source: explorer.exe, 00000024.00000000.476541398.00000000017E0000.00000002.00020000.sdmp Binary or memory string: rProgram Manager
Source: explorer.exe, 00000005.00000000.260975284.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj
Source: explorer.exe, 00000019.00000000.379668581.0000000001217000.00000004.00000020.sdmp Binary or memory string: Progmanv
Source: explorer.exe, 0000000A.00000000.299766270.000000000504A000.00000004.00000001.sdmp Binary or memory string: Progmanw

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140043FF0 GetUserNameW, 0_2_0000000140043FF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492636 Sample: a4vEYL53cZ Startdate: 28/09/2021 Architecture: WINDOWS Score: 56 28 Multi AV Scanner detection for submitted file 2->28 30 PE file has nameless sections 2->30 7 loaddll64.exe 1 2->7         started        10 explorer.exe 1 151 2->10         started        12 explorer.exe 2->12         started        14 4 other processes 2->14 process3 signatures4 32 Queues an APC in another process (thread injection) 7->32 16 rundll32.exe 7->16         started        18 cmd.exe 1 7->18         started        20 rundll32.exe 7->20         started        22 rundll32.exe 7->22         started        process5 process6 24 explorer.exe 16->24 injected 26 rundll32.exe 18->26         started       
No contacted IP infos