Windows Analysis Report up.dll

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

Contains functionality for read data from the clipboard

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D3ADFE0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D27B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D27B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D2625

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BFD00	4_2_6D3BFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3ABDC0	4_2_6D3ABDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38CC20	4_2_6D38CC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C75	4_2_6D397C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C69	4_2_6D397C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EEC55	4_2_6D3EEC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CB6	4_2_6D397CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CE1	4_2_6D397CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399F10	4_2_6D399F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90	4_2_6D3C5F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C0FF0	4_2_6D3C0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397E34	4_2_6D397E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CDEF0	4_2_6D3CDEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DC900	4_2_6D3DC900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397959	4_2_6D397959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38A9D0	4_2_6D38A9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5850	4_2_6D3B5850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A08B0	4_2_6D3A08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0	4_2_6D3BD8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DA8D0	4_2_6D3DA8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFB20	4_2_6D3EFB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BCBF0	4_2_6D3BCBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F1BCE	4_2_6D3F1BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397A74	4_2_6D397A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFA50	4_2_6D3EFA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5AB0	4_2_6D3B5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B4AB0	4_2_6D3B4AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38DAF0	4_2_6D38DAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C3500	4_2_6D3C3500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B0560	4_2_6D3B0560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F2549	4_2_6D3F2549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BA580	4_2_6D3BA580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3975E9	4_2_6D3975E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CE5C0	4_2_6D3CE5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BC420	4_2_6D3BC420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AC460	4_2_6D3AC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D490	4_2_6D39D490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AF490	4_2_6D3AF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F048B	4_2_6D3F048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D700	4_2_6D39D700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399700	4_2_6D399700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2760	4_2_6D3D2760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C97A0	4_2_6D3C97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D17F0	4_2_6D3D17F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39763E	4_2_6D39763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625	4_2_6D3D2625
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39767E	4_2_6D39767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AA6C0	4_2_6D3AA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BF160	4_2_6D3BF160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3921D0	4_2_6D3921D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EB002	4_2_6D3EB002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A070	4_2_6D39A070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38D370	4_2_6D38D370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C23B0	4_2_6D3C23B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CA3A0	4_2_6D3CA3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B53F0	4_2_6D3B53F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A260	4_2_6D39A260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B1240	4_2_6D3B1240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3E12A1	4_2_6D3E12A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3972E0	4_2_6D3972E0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D391E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3BFBC0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3D5970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D38B6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D390DC0 appears 47 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D38CC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D38CC20

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4388

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3b7dabf-3edc-40e7-8ac2-6b857ee17e59

Source: up.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: up.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1

Source: up.dll	ReversingLabs: Detection: 39%
Source: up.dll	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\up.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: up.dll

Static file information: File size 47943680 > 1048576

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: up.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C84DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D3A8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39E990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39EAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3BD956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39ACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D545E push ecx; ret	4_2_6D3D5471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D381920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D381920

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D3D5853

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E8D9A GetProcessHeap,

4_2_6D3E8D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D4EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D3D4EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D5853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D8776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D8776

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D566F cpuid

4_2_6D3D566F

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,		4_2_6D3D1500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		4_2_6D3D14C0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D59B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6D3D59B5

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true

AV Detection

Multi AV Scanner detection for submitted file

Source: up.dll	ReversingLabs: Detection: 39%
Source: up.dll	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: up.dll

Joe Sandbox ML: detected

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

Contains functionality for read data from the clipboard

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D3ADFE0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D27B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D27B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D2625

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BFD00	4_2_6D3BFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3ABDC0	4_2_6D3ABDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38CC20	4_2_6D38CC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C75	4_2_6D397C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C69	4_2_6D397C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EEC55	4_2_6D3EEC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CB6	4_2_6D397CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CE1	4_2_6D397CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399F10	4_2_6D399F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90	4_2_6D3C5F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C0FF0	4_2_6D3C0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397E34	4_2_6D397E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CDEF0	4_2_6D3CDEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DC900	4_2_6D3DC900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397959	4_2_6D397959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38A9D0	4_2_6D38A9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5850	4_2_6D3B5850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A08B0	4_2_6D3A08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0	4_2_6D3BD8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DA8D0	4_2_6D3DA8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFB20	4_2_6D3EFB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BCBF0	4_2_6D3BCBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F1BCE	4_2_6D3F1BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397A74	4_2_6D397A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFA50	4_2_6D3EFA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5AB0	4_2_6D3B5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B4AB0	4_2_6D3B4AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38DAF0	4_2_6D38DAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C3500	4_2_6D3C3500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B0560	4_2_6D3B0560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F2549	4_2_6D3F2549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BA580	4_2_6D3BA580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3975E9	4_2_6D3975E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CE5C0	4_2_6D3CE5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BC420	4_2_6D3BC420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AC460	4_2_6D3AC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D490	4_2_6D39D490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AF490	4_2_6D3AF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F048B	4_2_6D3F048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D700	4_2_6D39D700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399700	4_2_6D399700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2760	4_2_6D3D2760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C97A0	4_2_6D3C97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D17F0	4_2_6D3D17F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39763E	4_2_6D39763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625	4_2_6D3D2625
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39767E	4_2_6D39767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AA6C0	4_2_6D3AA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BF160	4_2_6D3BF160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3921D0	4_2_6D3921D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EB002	4_2_6D3EB002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A070	4_2_6D39A070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38D370	4_2_6D38D370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C23B0	4_2_6D3C23B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CA3A0	4_2_6D3CA3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B53F0	4_2_6D3B53F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A260	4_2_6D39A260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B1240	4_2_6D3B1240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3E12A1	4_2_6D3E12A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3972E0	4_2_6D3972E0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D391E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3BFBC0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3D5970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D38B6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D390DC0 appears 47 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D38CC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D38CC20

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4388

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3b7dabf-3edc-40e7-8ac2-6b857ee17e59

Source: up.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: up.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1

Source: up.dll	ReversingLabs: Detection: 39%
Source: up.dll	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\up.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: up.dll

Static file information: File size 47943680 > 1048576

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: up.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C84DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D3A8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39E990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39EAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3BD956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39ACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D545E push ecx; ret	4_2_6D3D5471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D381920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D381920

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D3D5853

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E8D9A GetProcessHeap,

4_2_6D3E8D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D4EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D3D4EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D5853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D8776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D8776

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1