Source: Scan.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: Scan.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: scan.pdb source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/ |
Source: Scan.dll |
String found in binary or memory: http://www.aiim.org/pdfa/ns/id/ |
Source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.aiim.org/pdfa/ns/id/partconformanceAIDS_LearnMoreScan_EventGTS_PDFA1sRGBIEC |
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.aiim.org/pdfa/ns/property# |
Source: rundll32.exe, 00000006.00000000.254410933.000000006DF3B000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.aiim.org/pdfa/ns/schema# |
Source: rundll32.exe, rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.color.org |
Source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
String found in binary or memory: http://www.color.orgOutputIntentsSOutputConditionOutputConditionIdentifierRegistryNameFilterNDestOut |
Source: loaddll32.exe, 00000000.00000002.258546917.000000000101B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Scan.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: Scan.dll |
Binary or memory string: OriginalFilenameScan.apiD vs Scan.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 680 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE5CDD0 |
6_2_6DE5CDD0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DEB79D0 |
6_2_6DEB79D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE8DDA0 |
6_2_6DE8DDA0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE88D40 |
6_2_6DE88D40 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE818E0 |
6_2_6DE818E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE804C0 |
6_2_6DE804C0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE94C40 |
6_2_6DE94C40 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE90040 |
6_2_6DE90040 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE12BE0 |
6_2_6DE12BE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE1EFC0 |
6_2_6DE1EFC0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE847A0 |
6_2_6DE847A0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE7EBB0 |
6_2_6DE7EBB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE7CB80 |
6_2_6DE7CB80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE87F90 |
6_2_6DE87F90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE8FB50 |
6_2_6DE8FB50 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE8B330 |
6_2_6DE8B330 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE8D700 |
6_2_6DE8D700 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE5FEE0 |
6_2_6DE5FEE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE7DED0 |
6_2_6DE7DED0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE7BA80 |
6_2_6DE7BA80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE84A60 |
6_2_6DE84A60 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE7D670 |
6_2_6DE7D670 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE82230 |
6_2_6DE82230 |
Source: Scan.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Scan.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 680 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,DllUnregisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Scan.dll,PlugInMain |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6384 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B2.tmp |
Jump to behavior |
Source: classification engine |
Classification label: sus26.winDLL@14/4@0/0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE76D00 CoCreateInstance,StringFromGUID2,WideCharToMultiByte,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegQueryInfoKeyA,RegCloseKey,strcpy_s,strcat_s,strcat_s,strcat_s,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegQueryInfoKeyA,RegCloseKey,RegCloseKey,RegCloseKey,free,free, |
6_2_6DE76D00 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Scan.dll |
Static file information: File size 1282659 > 1048576 |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Scan.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: Scan.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: scan.pdb source: rundll32.exe, 00000006.00000000.253410662.000000006DEC8000.00000002.00000001.01000000.00000003.sdmp, Scan.dll |
Source: Scan.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Scan.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Scan.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Scan.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Scan.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Scan.dll |
Source: C:\Windows\SysWOW64\WerFault.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
API coverage: 0.9 % |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DEC1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_6DEC1CA2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DEC1CA2 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_6DEC1CA2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DEC145D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_6DEC145D |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Scan.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DE2AA67 cpuid |
6_2_6DE2AA67 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 6_2_6DEC1E2B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
6_2_6DEC1E2B |