Windows Analysis Report
SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll
Analysis ID: 1644657
MD5: 7b713bb307ce6398be2034c18ccca1d6
SHA1: a4c59b23f33606d9054c56dec13ed0c5e5719850
SHA256: f8b5d7cfd2efa129ed496aeadc6756be5603c7e0f9995c9fef691159b6de7ba9
Tags: dlluser-SecuriteInfoCom
Infos:

Detection

Score: 60
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll ReversingLabs: Detection: 48%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.6% probability
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10019520 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_10019520
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100244D0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_100244D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006C69B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_1006C69B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002C810 FindFirstFileA,FindClose, 0_2_1002C810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019520 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 3_2_10019520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100244D0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 3_2_100244D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006C69B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 3_2_1006C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002C810 FindFirstFileA,FindClose, 3_2_1002C810
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_4ffe0548e225dede6db5260b5873ee8a910_952b8cde_3652b0c0-b577-4266-9be8-12c7e712488a\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b865344195a016a7b3cfd6083efc94b48ed2e5e_7522e4b5_2127fad1-eed4-4398-aff9-a056d846f31d\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100370F0 ioctlsocket,recv,recv, 0_2_100370F0
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll String found in binary or memory: http://www.99tre.com/
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll String found in binary or memory: http://www.99tre.com/q
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll String found in binary or memory: http://www.baidu.com/s?ie=utf-8&bs=%E8%B7%91%E8%B7%91%E8%BD%A6%E7%A5%9E%E8%BE%85%E5%8A%A9%E5%AE%98%E
Contains functionality for read data from the clipboard
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003FCD0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_1003FCD0
Contains functionality to modify clipboard data
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003FCD0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_1003FCD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003FCD0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_1003FCD0
Contains functionality to read the clipboard data
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003FE20 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_1003FE20
Potential key logger detected (key state polling based)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006F250 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_1006F250
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003E530 GetKeyState,GetKeyState,GetKeyState,CopyRect, 0_2_1003E530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002C9C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_1002C9C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002AD10 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow, 0_2_1002AD10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10070E02 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_10070E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006F250 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1006F250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003E530 GetKeyState,GetKeyState,GetKeyState,CopyRect, 3_2_1003E530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002C9C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 3_2_1002C9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002AD10 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow, 3_2_1002AD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10070E02 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 3_2_10070E02
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10057020 0_2_10057020
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002D080 0_2_1002D080
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10035250 0_2_10035250
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005D850 0_2_1005D850
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10057AC0 0_2_10057AC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10025FC0 0_2_10025FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006823E 0_2_1006823E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10064396 0_2_10064396
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006E4EF 0_2_1006E4EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10022940 0_2_10022940
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1003A9F0 0_2_1003A9F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10046A20 0_2_10046A20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10048A80 0_2_10048A80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10024AF0 0_2_10024AF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002EBA0 0_2_1002EBA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10057020 3_2_10057020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002D080 3_2_1002D080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10035250 3_2_10035250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005D850 3_2_1005D850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10057AC0 3_2_10057AC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10025FC0 3_2_10025FC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006823E 3_2_1006823E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10064396 3_2_10064396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006E4EF 3_2_1006E4EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022940 3_2_10022940
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A9F0 3_2_1003A9F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10046A20 3_2_10046A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10048A80 3_2_10048A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024AF0 3_2_10024AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002EBA0 3_2_1002EBA0
Enables driver privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Load Driver Jump to behavior
Enables security privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 1005D38F appears 31 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 1006D5AF appears 44 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 1005E304 appears 94 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1005D38F appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1006D5AF appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1005E304 appears 94 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 716
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.winDLL@14/17@0/0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006D02E FindResourceA,LoadResource,LockResource, 0_2_1006D02E
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7068
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3016
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f1072644-ae8c-4183-96c1-c38a6fd40a59 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll,main
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll ReversingLabs: Detection: 48%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll,main
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 716
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 708
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",main
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 700
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll,main Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Static file information: File size 1235106 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100676EF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_100676EF
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Static PE information: section name: .vmp0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C71CA push AA6BA7D7h; mov dword ptr [esp], ecx 0_2_100C71F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C71CA pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C73B9 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C73F4 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C7426 push esp; mov dword ptr [esp], esi 0_2_100C7427
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C7486 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C74BC pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C750A pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C75C9 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C76A1 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005B85A push ss; ret 0_2_1005B860
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005B86C pushad ; retf 0006h 0_2_1005B86D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C7877 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C78CE pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C7955 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C79FA pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C7B2D push dword ptr [esp+18h]; retn 001Ch 0_2_100C7B4A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C616C pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005E304 push eax; ret 0_2_1005E322
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C644C pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C648B pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C650A pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C6529 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C658B pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C668A pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C6748 push dword ptr [esp]; mov dword ptr [esp], esp 0_2_100C6751
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C67DD pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C684E pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C686D pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C68C6 pushfd ; mov dword ptr [esp], ecx 0_2_100C7A01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100C68E5 push dword ptr [esp+54h]; retn 0058h 0_2_100C6B1B
Source: SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll Static PE information: section name: .vmp0 entropy: 7.622318314866743
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005B38D IsIconic,GetWindowPlacement,GetWindowRect, 0_2_1005B38D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10027C00 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu, 0_2_10027C00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002BF00 IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsWindow,ShowWindow, 0_2_1002BF00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100282D0 IsIconic,IsZoomed, 0_2_100282D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10022940 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 0_2_10022940
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1005B38D IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1005B38D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027C00 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu, 3_2_10027C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002BF00 IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsWindow,ShowWindow, 3_2_1002BF00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100282D0 IsIconic,IsZoomed, 3_2_100282D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022940 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 3_2_10022940
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 3.5 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.4 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10019520 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 0_2_10019520
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100244D0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 0_2_100244D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006C69B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_1006C69B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002C810 FindFirstFileA,FindClose, 0_2_1002C810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10019520 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 3_2_10019520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100244D0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 3_2_100244D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006C69B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 3_2_1006C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002C810 FindFirstFileA,FindClose, 3_2_1002C810
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_4ffe0548e225dede6db5260b5873ee8a910_952b8cde_3652b0c0-b577-4266-9be8-12c7e712488a\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_b865344195a016a7b3cfd6083efc94b48ed2e5e_7522e4b5_2127fad1-eed4-4398-aff9-a056d846f31d\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100676EF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_100676EF
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007524 mov eax, dword ptr fs:[00000030h] 0_2_10007524
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10006F93 mov esi, dword ptr fs:[00000030h] 0_2_10006F93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007524 mov eax, dword ptr fs:[00000030h] 3_2_10007524
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10006F93 mov esi, dword ptr fs:[00000030h] 3_2_10006F93
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10011010 GetProcessHeap,RtlAllocateHeap, 0_2_10011010
Enables debug privileges
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B57 RtlAddVectoredExceptionHandler, 0_2_10003B57
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006704D SetUnhandledExceptionFilter, 0_2_1006704D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006705F SetUnhandledExceptionFilter, 0_2_1006705F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003B57 RtlAddVectoredExceptionHandler, 3_2_10003B57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006704D SetUnhandledExceptionFilter, 3_2_1006704D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1006705F SetUnhandledExceptionFilter, 3_2_1006705F
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Fragtor.22511.14326.1853.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005E7CA GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_1005E7CA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1006715B GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_1006715B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005B770 GetVersion,GetCommandLineA, 0_2_1005B770
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: MsMpEng.exe
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1644657 Sample: SecuriteInfo.com.Variant.Fr... Startdate: 20/03/2025 Architecture: WINDOWS Score: 60 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Joe Sandbox ML detected suspicious sample 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 2 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 16 12->20         started        22 WerFault.exe 23 18 14->22         started        process6 24 WerFault.exe 16 18->24         started       
No contacted IP infos