Windows Analysis Report ZaPNN51vQo.dll

Suricata IDS alerts for network traffic

Source: ZaPNN51vQo.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	3_2_0453D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	3_2_0453D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	3_2_0453D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_0453D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	3_2_0453CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	4_2_04C4D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	4_2_04C4CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	4_2_04C4D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_04C4D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	4_2_04C4D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	17_2_0321CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_0321D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	17_2_0321D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	17_2_0321D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	17_2_0321D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	18_2_0471D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D570 lstrlenW,FindFirstFileW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	18_2_0471D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	18_2_0471D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D120 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_0471D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471CFA0 LocalAlloc,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	18_2_0471CFA0

Networking

Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49709 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49764 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49824 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49883 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49943 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49997 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49995 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49994 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49996 -> 162.210.196.168:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 162.210.196.168 443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541A20 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_04541A20

Source: global traffic

DNS traffic detected: DNS query: safebrow.flnet.org

Source: Amcache.hve.9.dr

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Operating System Destruction

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045405D0 CreateFileW on filename \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C505D0 CreateFileW on filename \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032205D0 CreateFileW on filename \\.\PHYSICALDRIVE0	17_2_032205D0

System Summary

Submitted sample is a known malware sample

Source: ZaPNN51vQo.dll

Initial file: MD5: f222320a45dad46987e5600556f42a49 Family: APT17 Alias: Aurora Panda, APT 17, Deputy Dog, Group 8, Hidden Lynx, Tailgater Team, Axiom, Winnti Group, Group 72, Group72, Tailgater, Ragebeast, Blackfly, Lead, Wicked Spider, APT 17, Dogfish, Wicked Panda, Barium, APT17 Description: APT17 is said to be a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. References: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.htmlhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdfhttps://www2.fireeye.com/rs/fireye/images/APT17_Report.pdfData Source: https://github.com/RedDrip7/APT_Digital_Weapon

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_045405D0: CreateFileW,DeviceIoControl,CloseHandle,

3_2_045405D0

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E730 ExitWindowsEx,	3_2_0453E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E730 ExitWindowsEx,	4_2_04C4E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E730 ExitWindowsEx,	17_2_0321E730

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\KB1035627.dat

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04544460	3_2_04544460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545AC0	3_2_04545AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541E80	3_2_04541E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545540	3_2_04545540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543710	3_2_04543710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04542D20	3_2_04542D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045471D0	3_2_045471D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543DDD	3_2_04543DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045431C0	3_2_045431C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04546190	3_2_04546190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543B8E	3_2_04543B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55AC0	4_2_04C55AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51E80	4_2_04C51E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C54460	4_2_04C54460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C531C0	4_2_04C531C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C571D0	4_2_04C571D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53DDD	4_2_04C53DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53B8E	4_2_04C53B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C56190	4_2_04C56190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55540	4_2_04C55540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C52D20	4_2_04C52D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223710	17_2_03223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223B8E	17_2_03223B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221E80	17_2_03221E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225AC0	17_2_03225AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03222D20	17_2_03222D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225540	17_2_03225540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03226190	17_2_03226190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032231C0	17_2_032231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032271D0	17_2_032271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223DDD	17_2_03223DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03224460	17_2_03224460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04724460	18_2_04724460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725AC0	18_2_04725AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04721E80	18_2_04721E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725540	18_2_04725540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04722D20	18_2_04722D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723710	18_2_04723710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047271D0	18_2_047271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723DDD	18_2_04723DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047231C0	18_2_047231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04726190	18_2_04726190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723B8E	18_2_04723B8E

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672

Sample file is different than original file name gathered from version info

Source: ZaPNN51vQo.dll

Binary or memory string: OriginalFilenamedllload.dll vs ZaPNN51vQo.dll

Source: ZaPNN51vQo.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.evad.winDLL@19/21@1/1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_0453E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	4_2_04C4E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	17_2_0321E6A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453CDA0 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,SHGetFileInfo,GetDiskFreeSpaceExA,

3_2_0453CDA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541760 _wcsrev,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,CreateToolhelp32Snapshot,lstrcmpiW,CloseHandle,CloseHandle,

3_2_04541760

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5780
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IEPASS
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\UpdateWindow
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5772
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\43674aa7-5c7b-447f-a5c3-7a5cda7ac0c6

Source: ZaPNN51vQo.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop

Source: ZaPNN51vQo.dll	Virustotal: Detection: 82%
Source: ZaPNN51vQo.dll	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 676
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453EB90 LoadLibraryA,LoadLibraryA,GetProcAddress,LdrInitializeThunk,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Lo

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04547600 push eax; ret	3_2_0454762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045476A4 push eax; ret	3_2_045476C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C576A4 push eax; ret	4_2_04C576C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C57600 push eax; ret	4_2_04C5762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04922C60 push eax; ret	17_2_04922C8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03227600 push eax; ret	17_2_0322762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032276A4 push eax; ret	17_2_032276C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03214288 push eax; ret	17_2_032142B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04727600 push eax; ret	18_2_0472762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047276A4 push eax; ret	18_2_047276C2

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Boot Survival

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541026	3_2_04541026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045413D8	3_2_045413D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51026	4_2_04C51026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C513D8	4_2_04C513D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221026	17_2_03221026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032213D8	17_2_032213D8

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 141

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9215	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: foregroundWindowGot 1775	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\SysWOW64\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_032213D8

17_2_032213D8

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -325500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 9215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -4607500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	3_2_0453D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	3_2_0453D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	3_2_0453D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_0453D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	3_2_0453CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	4_2_04C4D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	4_2_04C4CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	4_2_04C4D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_04C4D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	4_2_04C4D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	17_2_0321CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_0321D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	17_2_0321D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	17_2_0321D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	17_2_0321D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	18_2_0471D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D570 lstrlenW,FindFirstFileW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	18_2_0471D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	18_2_0471D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D120 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_0471D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471CFA0 LocalAlloc,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	18_2_0471CFA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04540AC0 GetVersionExW,getsockname,GetVersionExW,lstrcpyW,lstrcpyW,GetSystemInfo,wsprintfW,GlobalMemoryStatus,GetTickCount,wsprintfW,wsprintfW,wsprintfW,wsprintfW,lstrcpyW,lstrlenW,mbstowcs,mbstowcs,lstrcpyW,mbstowcs,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000011.00000002.4489395546.0000000002E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453F9CC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcessHeap,HeapFree,

3_2_0453F9CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 162.210.196.168 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541026 __EH_prolog,GetInputState,GetCurrentThreadId,PostThreadMessageW,GetMessageW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,GetTickCount,wsprintfW,strstr,WinExec,SetErrorMode,atoi,sprintf,OutputDebugStringA,Sleep,Sleep,Sleep,GetLocalTime,sprintf,OpenEventW,Sleep,Sleep,CloseHandle,atoi,atoi,atoi,atoi,GetTickCount,sprintf,GetTickCount,Sleep,GetTickCount,OpenEventW,WaitForSingleObject,Sleep,CloseHandle,SetErrorMode,

3_2_04541026

Source: C:\Windows\SysWOW64\rundll32.exe

AV process strings found (often used to terminate AV products)

Source: rundll32.exe	Binary or memory string: avcenter.exe
Source: rundll32.exe	Binary or memory string: kxetray.exe
Source: rundll32.exe	Binary or memory string: avp.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: rundll32.exe	Binary or memory string: ashdisp.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe	Binary or memory string: mcshield.exe
Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: tmbmsrv.exe
Source: rundll32.exe	Binary or memory string: ravmond.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.210.196.168	safebrow.flnet.org	United States		30633	LEASEWEB-USA-WDCUS	true

Contacted Domains

Name	IP	Active
safebrow.flnet.org	162.210.196.168	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZaPNN51vQo.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: ZaPNN51vQo.dll	Virustotal: Detection: 82%			Perma Link
Source: ZaPNN51vQo.dll	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ZaPNN51vQo.dll

Joe Sandbox ML: detected

Suricata IDS alerts for network traffic

Source: ZaPNN51vQo.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	3_2_0453D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	3_2_0453D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	3_2_0453D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_0453D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	3_2_0453CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	4_2_04C4D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	4_2_04C4CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	4_2_04C4D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_04C4D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	4_2_04C4D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	17_2_0321CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_0321D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	17_2_0321D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	17_2_0321D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	17_2_0321D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	18_2_0471D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D570 lstrlenW,FindFirstFileW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	18_2_0471D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	18_2_0471D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D120 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_0471D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471CFA0 LocalAlloc,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	18_2_0471CFA0

Networking

Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49709 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49764 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49824 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49883 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49943 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49997 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49995 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49994 -> 162.210.196.168:443
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.5:49996 -> 162.210.196.168:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 162.210.196.168 443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541A20 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_04541A20

Source: global traffic

DNS traffic detected: DNS query: safebrow.flnet.org

Source: Amcache.hve.9.dr

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Operating System Destruction

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045405D0 CreateFileW on filename \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C505D0 CreateFileW on filename \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032205D0 CreateFileW on filename \\.\PHYSICALDRIVE0	17_2_032205D0

System Summary

Submitted sample is a known malware sample

Source: ZaPNN51vQo.dll

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_045405D0: CreateFileW,DeviceIoControl,CloseHandle,

3_2_045405D0

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E730 ExitWindowsEx,	3_2_0453E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E730 ExitWindowsEx,	4_2_04C4E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E730 ExitWindowsEx,	17_2_0321E730

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\KB1035627.dat

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04544460	3_2_04544460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545AC0	3_2_04545AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541E80	3_2_04541E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04545540	3_2_04545540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543710	3_2_04543710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04542D20	3_2_04542D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045471D0	3_2_045471D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543DDD	3_2_04543DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045431C0	3_2_045431C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04546190	3_2_04546190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04543B8E	3_2_04543B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55AC0	4_2_04C55AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51E80	4_2_04C51E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C54460	4_2_04C54460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C531C0	4_2_04C531C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C571D0	4_2_04C571D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53DDD	4_2_04C53DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C53B8E	4_2_04C53B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C56190	4_2_04C56190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C55540	4_2_04C55540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C52D20	4_2_04C52D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223710	17_2_03223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223B8E	17_2_03223B8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221E80	17_2_03221E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225AC0	17_2_03225AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03222D20	17_2_03222D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03225540	17_2_03225540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03226190	17_2_03226190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032231C0	17_2_032231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032271D0	17_2_032271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03223DDD	17_2_03223DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03224460	17_2_03224460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04724460	18_2_04724460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725AC0	18_2_04725AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04721E80	18_2_04721E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04725540	18_2_04725540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04722D20	18_2_04722D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723710	18_2_04723710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047271D0	18_2_047271D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723DDD	18_2_04723DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047231C0	18_2_047231C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04726190	18_2_04726190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04723B8E	18_2_04723B8E

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672

Sample file is different than original file name gathered from version info

Source: ZaPNN51vQo.dll

Binary or memory string: OriginalFilenamedllload.dll vs ZaPNN51vQo.dll

Source: ZaPNN51vQo.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.evad.winDLL@19/21@1/1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_0453E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	4_2_04C4E6A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321E6A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	17_2_0321E6A0

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_0453CDA0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04541760 _wcsrev,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,CreateToolhelp32Snapshot,lstrcmpiW,CloseHandle,CloseHandle,

3_2_04541760

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5780
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IEPASS
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\UpdateWindow
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5772
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\43674aa7-5c7b-447f-a5c3-7a5cda7ac0c6

Source: ZaPNN51vQo.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop

Source: ZaPNN51vQo.dll	Virustotal: Detection: 82%
Source: ZaPNN51vQo.dll	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 676
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 668
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZaPNN51vQo.dll,mydoor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",loop	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",mydoor	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04547600 push eax; ret	3_2_0454762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045476A4 push eax; ret	3_2_045476C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C576A4 push eax; ret	4_2_04C576C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C57600 push eax; ret	4_2_04C5762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04922C60 push eax; ret	17_2_04922C8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03227600 push eax; ret	17_2_0322762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032276A4 push eax; ret	17_2_032276C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03214288 push eax; ret	17_2_032142B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04727600 push eax; ret	18_2_0472762E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_047276A4 push eax; ret	18_2_047276C2

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Boot Survival

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	3_2_045405D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	4_2_04C505D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: CreateFileW,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE0	17_2_032205D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: DeviceIoControl, \\.\PHYSICALDRIVE0	18_2_047205D0

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04541026	3_2_04541026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_045413D8	3_2_045413D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C51026	4_2_04C51026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C513D8	4_2_04C513D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_03221026	17_2_03221026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_032213D8	17_2_032213D8

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 141

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9215	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: foregroundWindowGot 1775	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\SysWOW64\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_032213D8

17_2_032213D8

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -325500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep count: 9215 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2000	Thread sleep time: -4607500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	3_2_0453D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	3_2_0453D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	3_2_0453D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_0453D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0453CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	3_2_0453CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	4_2_04C4D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	4_2_04C4CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	4_2_04C4D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_04C4D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C4D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	4_2_04C4D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321CFA0 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	17_2_0321CFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D120 wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_0321D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	17_2_0321D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D570 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	17_2_0321D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0321D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	17_2_0321D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D880 lstrcpyW,FindFirstFileW,FindClose,FindClose,	18_2_0471D880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D570 lstrlenW,FindFirstFileW,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileW,FindClose,	18_2_0471D570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D930 FindFirstFileW,FindClose,CreateFileW,CloseHandle,	18_2_0471D930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471D120 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_0471D120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0471CFA0 LocalAlloc,FindFirstFileW,LocalReAlloc,lstrcmpW,lstrcmpW,lstrlenW,FindNextFileW,LocalFree,FindClose,	18_2_0471CFA0

Source: C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000011.00000002.4489395546.0000000002E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0453F9CC LoadLibraryW,GetProcAddress,GetProcAddress,GetProcessHeap,HeapFree,

3_2_0453F9CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 162.210.196.168 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZaPNN51vQo.dll",#1

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_04541026

Source: C:\Windows\SysWOW64\rundll32.exe