Windows Analysis Report
file.dll

Overview

General Information

Sample name: file.dll
(renamed file extension from exe to dll)
Original sample name: file.exe
Analysis ID: 1521607
MD5: 2fe5ff05cdaef7b6539ed20a44aabdeb
SHA1: d575cf3063ac1f573a5a36587db26a7fb2418946
SHA256: 637c98d2e6251df15fc64ba436009706269bfa9d7b1316e43a79575f7891f622
Tags: dllexex64user-jstrosch
Infos:

Detection

Score: 7
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Source: file.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\jk\workspace\Build__1.10__API_Win\lowlevel_api\platforms\win\vs2012\_builds\lowlevel_api\Release Dynamic\x64\fmod64.pdb source: loaddll64.exe, 00000000.00000002.2941258987.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1903303766.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1891244645.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1902135714.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7CC600 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FindClose,__wdtoxmode,_errno,GetLastError,_dosmaperr,FindClose, 0_2_00007FFDFB7CC600
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDB9B 0_2_00007FFDFB6CDB9B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7C8C24 0_2_00007FFDFB7C8C24
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB701B80 0_2_00007FFDFB701B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F6B80 0_2_00007FFDFB6F6B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6BFC40 0_2_00007FFDFB6BFC40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7C4B70 0_2_00007FFDFB7C4B70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7DAB94 0_2_00007FFDFB7DAB94
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6D1C00 0_2_00007FFDFB6D1C00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7A9BB0 0_2_00007FFDFB7A9BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6FCBF0 0_2_00007FFDFB6FCBF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CCBF0 0_2_00007FFDFB6CCBF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7AAAF0 0_2_00007FFDFB7AAAF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7CAB48 0_2_00007FFDFB7CAB48
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7C4B40 0_2_00007FFDFB7C4B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB70CA80 0_2_00007FFDFB70CA80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D1AA4 0_2_00007FFDFB7D1AA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7C7AB0 0_2_00007FFDFB7C7AB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB704AE0 0_2_00007FFDFB704AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CB9A0 0_2_00007FFDFB6CB9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE983 0_2_00007FFDFB6CE983
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB762960 0_2_00007FFDFB762960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6B8A50 0_2_00007FFDFB6B8A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CF9D0 0_2_00007FFDFB6CF9D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6E38C0 0_2_00007FFDFB6E38C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6E4880 0_2_00007FFDFB6E4880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB73C940 0_2_00007FFDFB73C940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE944 0_2_00007FFDFB6CE944
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6D8930 0_2_00007FFDFB6D8930
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D6888 0_2_00007FFDFB7D6888
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDFD6 0_2_00007FFDFB6CDFD6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB782F70 0_2_00007FFDFB782F70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB761FA0 0_2_00007FFDFB761FA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDEBF 0_2_00007FFDFB6CDEBF
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6E4EB0 0_2_00007FFDFB6E4EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6FCEB0 0_2_00007FFDFB6FCEB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6E9EA0 0_2_00007FFDFB6E9EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D6F44 0_2_00007FFDFB7D6F44
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F5E70 0_2_00007FFDFB6F5E70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F0F10 0_2_00007FFDFB6F0F10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6E0F00 0_2_00007FFDFB6E0F00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6C1EF0 0_2_00007FFDFB6C1EF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6C2D80 0_2_00007FFDFB6C2D80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDD7F 0_2_00007FFDFB6CDD7F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7DDD6C 0_2_00007FFDFB7DDD6C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDE0A 0_2_00007FFDFB6CDE0A
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6B2E00 0_2_00007FFDFB6B2E00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CDCB1 0_2_00007FFDFB6CDCB1
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6EACA0 0_2_00007FFDFB6EACA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB700D50 0_2_00007FFDFB700D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB77CCD0 0_2_00007FFDFB77CCD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6D13D0 0_2_00007FFDFB6D13D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB743420 0_2_00007FFDFB743420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE37D 0_2_00007FFDFB6CE37D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB705360 0_2_00007FFDFB705360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6D9430 0_2_00007FFDFB6D9430
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6FC420 0_2_00007FFDFB6FC420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB75C3C0 0_2_00007FFDFB75C3C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE3F1 0_2_00007FFDFB6CE3F1
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6B42B0 0_2_00007FFDFB6B42B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6FE2A0 0_2_00007FFDFB6FE2A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE33D 0_2_00007FFDFB6CE33D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F0340 0_2_00007FFDFB6F0340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D11F0 0_2_00007FFDFB7D11F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB763240 0_2_00007FFDFB763240
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6D2170 0_2_00007FFDFB6D2170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6EC1F0 0_2_00007FFDFB6EC1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7DE1D4 0_2_00007FFDFB7DE1D4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE0D8 0_2_00007FFDFB6CE0D8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7440F0 0_2_00007FFDFB7440F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F90C0 0_2_00007FFDFB6F90C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F80B0 0_2_00007FFDFB6F80B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7CA11C 0_2_00007FFDFB7CA11C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CE086 0_2_00007FFDFB6CE086
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7077D0 0_2_00007FFDFB7077D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CD7A0 0_2_00007FFDFB6CD7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6DA790 0_2_00007FFDFB6DA790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB704780 0_2_00007FFDFB704780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB761840 0_2_00007FFDFB761840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6CD83C 0_2_00007FFDFB6CD83C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6C26A0 0_2_00007FFDFB6C26A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB763710 0_2_00007FFDFB763710
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6EA710 0_2_00007FFDFB6EA710
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6DC6F0 0_2_00007FFDFB6DC6F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6C7580 0_2_00007FFDFB6C7580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F8640 0_2_00007FFDFB6F8640
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7625A0 0_2_00007FFDFB7625A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7005F3 0_2_00007FFDFB7005F3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6C8480 0_2_00007FFDFB6C8480
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB6F1460 0_2_00007FFDFB6F1460
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FFDFB75FA20 appears 82 times
Source: C:\Windows\System32\loaddll64.exe Code function: String function: 00007FFDFB760F10 appears 31 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7556 -s 396
Sample file is different than original file name gathered from version info
Source: file.dll Binary or memory string: OriginalFilenamefmod64.dll* vs file.dll
Source: classification engine Classification label: clean7.winDLL@116/9@1/0
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3724ca42-35e6-43b0-b905-824d05bee4cd Jump to behavior
Source: file.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addCallback@AsyncThread@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@H@Z@Z
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addCallback@AsyncThread@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@H@Z@Z
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7556 -s 396
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 404
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAVDSP@2@@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addFadePoint@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_KM@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addCallback@AsyncThread@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@H@Z@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAVDSP@2@@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addFadePoint@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_KM@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Update
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_UnlockDSP
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_UnloadPlugin
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetUserData
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetStreamBufferSize
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSpeakerPosition
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSoftwareFormat
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSoftwareChannels
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetReverbProperties
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetPluginPath
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetOutputByPlugin
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetOutput
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetNetworkTimeout
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetNetworkProxy
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetGeometrySettings
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetFileSystem
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetDriver
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetDSPBufferSize
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetCallback
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetAdvancedSettings
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DSettings
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DRolloffCallback
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DNumListeners
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DListenerAttributes
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Release
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_RegisterOutput
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addCallback@AsyncThread@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@H@Z@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAVDSP@2@@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,?addFadePoint@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_KM@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addCallback@AsyncThread@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@H@Z@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAVDSP@2@@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",?addFadePoint@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_KM@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Update Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_UnlockDSP Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_UnloadPlugin Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetUserData Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetStreamBufferSize Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSpeakerPosition Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSoftwareFormat Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetSoftwareChannels Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetReverbProperties Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetPluginPath Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetOutputByPlugin Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetOutput Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetNetworkTimeout Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetNetworkProxy Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetGeometrySettings Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetFileSystem Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetDSPBufferSize Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetCallback Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_SetAdvancedSettings Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DSettings Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DRolloffCallback Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DNumListeners Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Set3DListenerAttributes Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_Release Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",FMOD_System_RegisterOutput Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7556 -s 396 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: winmmbase.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.dll Static PE information: More than 1090 > 100 exports found
Source: file.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: file.dll Static file information: File size 1756672 > 1048576
Source: file.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12ec00
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jk\workspace\Build__1.10__API_Win\lowlevel_api\platforms\win\vs2012\_builds\lowlevel_api\Release Dynamic\x64\fmod64.pdb source: loaddll64.exe, 00000000.00000002.2941258987.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1903303766.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1891244645.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1902135714.00007FFDFB7E0000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D4BA4 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FFDFB7D4BA4
PE file contains sections with non-standard names
Source: file.dll Static PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll64.exe API coverage: 3.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7CC600 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_wfullpath,_errno,_errno,_errno,_wfullpath,IsRootUNCName,GetDriveTypeW,free,__loctotime64_t,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,__loctotime64_t,FindClose,__wdtoxmode,_errno,GetLastError,_dosmaperr,FindClose, 0_2_00007FFDFB7CC600
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D4BA4 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FFDFB7D4BA4
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D4BA4 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FFDFB7D4BA4
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D4BA4 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00007FFDFB7D4BA4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D19C8 GetProcessHeap, 0_2_00007FFDFB7D19C8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7CA99C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFDFB7CA99C
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7D4040 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFDFB7D4040
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFDFB7DDD6C _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,_getenv_helper_nolock,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson, 0_2_00007FFDFB7DDD6C
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521607 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 7 24 15.164.165.52.in-addr.arpa 2->24 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 31 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 16 12->20         started        process6 22 WerFault.exe 20 16 18->22         started       
No contacted IP infos

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown