Click to jump to signature section
Source: test2.dll | Virustotal: Detection: 39% | Perma Link |
Source: 0.2.loaddll32.exe.10000000.0.unpack | Avira: Label: TR/Patched.Ren.Gen2 |
Source: 3.2.rundll32.exe.10000000.0.unpack | Avira: Label: TR/Patched.Ren.Gen2 |
Source: test2.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: Amcache.hve.6.dr | String found in binary or memory: http://upx.sf.net |
Source: Yara match | File source: test2.dll, type: SAMPLE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: test2.dll, type: SAMPLE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: test2.dll | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
Source: test2.dll | Static PE information: No import functions for PE file found |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636 |
Source: test2.dll | Virustotal: Detection: 39% |
Source: test2.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\test2.dll" | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 | |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_01 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp | Jump to behavior |
Source: classification engine | Classification label: mal68.troj.winDLL@7/6@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075C079 push ebx; ret | 3_2_0075C093 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076AC78 push eax; iretd | 3_2_0076AC79 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076A050 pushad ; ret | 3_2_0076A12D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076D25D pushfd ; ret | 3_2_0076D283 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076BE4D pushad ; ret | 3_2_0076BE59 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076A832 push esp; ret | 3_2_0076A833 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_00769022 push ebp; ret | 3_2_0076902B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_007662E9 push ds; ret | 3_2_00766363 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_00768ED0 pushad ; ret | 3_2_00768ED1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075EAAD push edx; retf | 3_2_0075EB39 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075EAA8 pushad ; retf | 3_2_0075EAA9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076CE9D push cs; ret | 3_2_0076CF13 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075E975 push edi; ret | 3_2_0075E98B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075CF72 push esi; ret | 3_2_0075D023 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_00766364 push es; ret | 3_2_007663A3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075A952 push esp; ret | 3_2_0075A953 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075E95D push esp; ret | 3_2_0075E973 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075E95A push ecx; ret | 3_2_0075E95B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075C735 push es; ret | 3_2_0075C75B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_00769725 pushad ; ret | 3_2_0076998B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075EB22 push edx; retf | 3_2_0075EB39 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075AB10 push edi; ret | 3_2_0075AB11 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075A912 push eax; ret | 3_2_0075A933 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075D91C push 800075D8h; iretd | 3_2_0075D921 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075C700 push 200075C7h; retn 0075h | 3_2_0075C70D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075EB0F push ecx; retf | 3_2_0075EB21 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_007663E2 push cs; ret | 3_2_007663E3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076CFDD push esi; ret | 3_2_0076D053 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0075E7C0 push ds; ret | 3_2_0075E7C3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0076B1BE pushfd ; ret | 3_2_0076B27B |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_00760BA5 push ecx; ret | 3_2_00760BBB |
Source: Yara match | File source: test2.dll, type: SAMPLE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: Amcache.hve.6.dr | Binary or memory string: VMware |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr | Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed |
Source: Amcache.hve.6.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.6.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.6.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.6.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\System32\loaddll32.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 | Jump to behavior |
Source: Amcache.hve.6.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Yara match | File source: test2.dll, type: SAMPLE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: test2.dll, type: SAMPLE |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE |