Windows Analysis Report
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip

Overview

General Information

Sample URL: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Analysis ID: 597349
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

DLL side loading technique detected
Sigma detected: Suspicious Call by Ordinal
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Found large amount of non-executed APIs
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.11.20:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.11.20:49751 version: TLS 1.2
Source: Binary string: C:\projects\compare-plugin\Notepad++\plugins\ComparePlugin.pdb source: rundll32.exe, 00000008.00000002.53133614574.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000000.53107375345.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.53160095731.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000000.53198315997.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197555059.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr
Source: Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll.4.dr
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA3784 FindFirstFileExA, 8_2_00007FFBBDCA3784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wget.exe, wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crlJ
Source: git2.dll.4.dr String found in binary or memory: http://libgit2.github.com/D
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr String found in binary or memory: http://upx.sf.net
Source: 7za.exe, 00000004.00000003.53082213532.0000000003240000.00000004.00000800.00020000.00000000.sdmp, sqlite3.dll.4.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr String found in binary or memory: https://github.com/jsleroy/compare-plugin
Source: rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr String found in binary or memory: https://github.com/pnedev/compare-plugin
Source: wget.exe, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugi
Source: wget.exe, 00000002.00000002.53071396618.0000000000190000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Source: wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip_5
Source: wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zipneDriv
Source: cmdline.out.0.dr String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-
Source: unknown DNS traffic detected: queries for: github.com
Source: global traffic HTTP traffic detected: GET /pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-49d7-8eb8-da1dde346952?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220325T191320Z&X-Amz-Expires=300&X-Amz-Signature=5053414ddd70e50734eacb002da0a5ed0adb35bb4bd3c967d01196cf1c48f106&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50095301&response-content-disposition=attachment%3B%20filename%3DComparePlugin_v2.0.2_X64.zip&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: objects.githubusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.11.20:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.11.20:49751 version: TLS 1.2
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3196 -s 436
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC94E30 8_2_00007FFBBDC94E30
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC825E0 8_2_00007FFBBDC825E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8FE10 8_2_00007FFBBDC8FE10
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC945B0 8_2_00007FFBBDC945B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC9FDA4 8_2_00007FFBBDC9FDA4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC905A0 8_2_00007FFBBDC905A0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA3578 8_2_00007FFBBDCA3578
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC91580 8_2_00007FFBBDC91580
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCAB4D3 8_2_00007FFBBDCAB4D3
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC83CC0 8_2_00007FFBBDC83CC0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC894C0 8_2_00007FFBBDC894C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC82890 8_2_00007FFBBDC82890
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCAA098 8_2_00007FFBBDCAA098
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCAA890 8_2_00007FFBBDCAA890
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC90880 8_2_00007FFBBDC90880
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC88800 8_2_00007FFBBDC88800
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC81FA0 8_2_00007FFBBDC81FA0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA5760 8_2_00007FFBBDCA5760
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8DF80 8_2_00007FFBBDC8DF80
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC89720 8_2_00007FFBBDC89720
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCAAEFC 8_2_00007FFBBDCAAEFC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC94280 8_2_00007FFBBDC94280
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC861F0 8_2_00007FFBBDC861F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8A9D0 8_2_00007FFBBDC8A9D0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCAB170 8_2_00007FFBBDCAB170
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC9D910 8_2_00007FFBBDC9D910
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC860C0 8_2_00007FFBBDC860C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC920C0 8_2_00007FFBBDC920C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA5C30 8_2_00007FFBBDCA5C30
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC89C30 8_2_00007FFBBDC89C30
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC823D0 8_2_00007FFBBDC823D0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC87B90 8_2_00007FFBBDC87B90
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC9DB8C 8_2_00007FFBBDC9DB8C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC88330 8_2_00007FFBBDC88330
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8F350 8_2_00007FFBBDC8F350
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8AB00 8_2_00007FFBBDC8AB00
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8FAA0 8_2_00007FFBBDC8FAA0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC90AD0 8_2_00007FFBBDC90AD0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC8E2D0 8_2_00007FFBBDC8E2D0
PE file contains strange resources
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\wget.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip"
Source: unknown Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3196 -s 436
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1224 -s 432
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3404 -s 432
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",isUnicode
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",messageProc
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 428 -s 424
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",isUnicode Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",messageProc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8cc57867-0d7d-43e4-a6c6-6997b62c56f9 Jump to behavior
Source: classification engine Classification label: mal48.evad.win@31/28@2/2
Source: sqlite3.dll.4.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: rundll32.exe Binary or memory string: SELECT checksum FROM nodes_current WHERE local_relpath='%s';
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.4.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll.4.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: sqlite3.dll.4.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3196
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess372
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3404
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess428
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:304:WilStaging_02
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1224
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC961D0 FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock, 8_2_00007FFBBDC961D0
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: C:\projects\compare-plugin\Notepad++\plugins\ComparePlugin.pdb source: rundll32.exe, 00000008.00000002.53133614574.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000000.53107375345.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.53160095731.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000000.53198315997.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197555059.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr
Source: Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll.4.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02DF38E0 pushad ; ret 2_3_02DF38E3
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02DECA48 pushad ; retn 0078h 2_3_02DECBBD
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02DECE00 pushfd ; retn 0000h 2_3_02DECEA3
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02DECC31 pushad ; retn 0078h 2_3_02DECC35
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00A68000 push ebx; retf 2_2_00A68003
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00A68E4A push eax; retf 2_2_00A68E4C
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02DF38E0 pushad ; ret 2_2_02DF38E3
PE file contains sections with non-standard names
Source: sqlite3.dll.4.dr Static PE information: section name: text
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC91870 GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00007FFBBDC91870
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC91870 GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00007FFBBDC91870
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6528 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 0.5 %
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA3784 FindFirstFileExA, 8_2_00007FFBBDCA3784
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: wget.exe Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC98F40 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFBBDC98F40
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC91870 GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00007FFBBDC91870
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA47F4 GetProcessHeap, 8_2_00007FFBBDCA47F4
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC98F40 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFBBDC98F40
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC98270 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFBBDC98270
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC9C2DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFBBDC9C2DC

HIPS / PFW / Operating System Protection Evasion
barindex
DLL side loading technique detected
Source: C:\Windows\System32\loaddll64.exe Section loaded: C:\Users\user\Desktop\extract\ComparePlugin.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: C:\Users\user\Desktop\extract\ComparePlugin.dll Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDCA9C70 cpuid 8_2_00007FFBBDCA9C70
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC99090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_00007FFBBDC99090
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.18.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: MsMpEng.exe
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597349 URL: https://github.com/pnedev/c... Startdate: 25/03/2022 Architecture: WINDOWS Score: 48 50 objects.githubusercontent.com 2->50 52 github.com 2->52 58 Sigma detected: Suspicious Call by Ordinal 2->58 9 loaddll64.exe 1 2->9         started        12 7za.exe 6 2->12         started        15 cmd.exe 2 2->15         started        signatures3 process4 file5 60 DLL side loading technique detected 9->60 17 cmd.exe 1 9->17         started        19 rundll32.exe 9->19         started        21 rundll32.exe 9->21         started        30 6 other processes 9->30 44 C:\Users\user\Desktop\...\ComparePlugin.dll, PE32+ 12->44 dropped 46 C:\Users\user\Desktop\extract\...\sqlite3.dll, PE32+ 12->46 dropped 48 C:\Users\user\Desktop\extract\...\git2.dll, PE32+ 12->48 dropped 23 conhost.exe 12->23         started        25 wget.exe 2 15->25         started        28 conhost.exe 15->28         started        signatures6 process7 dnsIp8 32 rundll32.exe 17->32         started        34 WerFault.exe 20 16 19->34         started        36 WerFault.exe 16 21->36         started        54 github.com 140.82.121.4, 443, 49750 GITHUBUS United States 25->54 56 objects.githubusercontent.com 185.199.110.133, 443, 49751 FASTLYUS Netherlands 25->56 38 WerFault.exe 16 30->38         started        40 WerFault.exe 16 30->40         started        process9 process10 42 WerFault.exe 16 32->42         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.4
 github.com United States
36459 GITHUBUS false
185.199.110.133
 objects.githubusercontent.com Netherlands
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.4 true
objects.githubusercontent.com 185.199.110.133 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip false
    		high