Windows Analysis Report main.dll

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

Contains functionality for read data from the clipboard

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D6FDFE0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D7227B9

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70FD00	4_2_6D70FD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FBDC0	4_2_6D6FBDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C69	4_2_6D6E7C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C75	4_2_6D6E7C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73EC55	4_2_6D73EC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DCC20	4_2_6D6DCC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CE1	4_2_6D6E7CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CB6	4_2_6D6E7CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9F10	4_2_6D6E9F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D710FF0	4_2_6D710FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90	4_2_6D715F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7E34	4_2_6D6E7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71DEF0	4_2_6D71DEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0	4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7959	4_2_6D6E7959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72C900	4_2_6D72C900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DA9D0	4_2_6D6DA9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705850	4_2_6D705850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72A8D0	4_2_6D72A8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0	4_2_6D70D8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F08B0	4_2_6D6F08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FB20	4_2_6D73FB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70CBF0	4_2_6D70CBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D741BCE	4_2_6D741BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7A74	4_2_6D6E7A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FA50	4_2_6D73FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DDAF0	4_2_6D6DDAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705AB0	4_2_6D705AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D704AB0	4_2_6D704AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D700560	4_2_6D700560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D742549	4_2_6D742549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D713500	4_2_6D713500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E75E9	4_2_6D6E75E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71E5C0	4_2_6D71E5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70A580	4_2_6D70A580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FC460	4_2_6D6FC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70C420	4_2_6D70C420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED490	4_2_6D6ED490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FF490	4_2_6D6FF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D74048B	4_2_6D74048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D722760	4_2_6D722760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED700	4_2_6D6ED700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9700	4_2_6D6E9700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7217F0	4_2_6D7217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9	4_2_6D7227B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7197A0	4_2_6D7197A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E767E	4_2_6D6E767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E763E	4_2_6D6E763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FA6C0	4_2_6D6FA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70F160	4_2_6D70F160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E21D0	4_2_6D6E21D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA070	4_2_6D6EA070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73B002	4_2_6D73B002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DD370	4_2_6D6DD370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7053F0	4_2_6D7053F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7123B0	4_2_6D7123B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71A3A0	4_2_6D71A3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA260	4_2_6D6EA260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D701240	4_2_6D701240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E72E0	4_2_6D6E72E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7312A1	4_2_6D7312A1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E1E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E0DC0 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D725970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6DB6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D70FBC0 appears 36 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@1/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6DCC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D6DCC20

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b54a455-673e-4122-a563-0413c629bfff

Source: main.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: main.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Source: main.dll	ReversingLabs: Detection: 47%
Source: main.dll	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\main.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: main.dll

Static file information: File size 4952064 > 1048576

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: main.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D7184DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D6F8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EE990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EEAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D70D956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72545E push ecx; ret	4_2_6D725471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6D1920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D6D1920

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D725853

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D738D9A GetProcessHeap,

4_2_6D738D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D724EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D724EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D725853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D728776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D728776

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D72566F cpuid

4_2_6D72566F

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,		4_2_6D721500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		4_2_6D7214C0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D7259B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6D7259B5

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true
time.windows.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: main.dll	ReversingLabs: Detection: 47%
Source: main.dll	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: main.dll

Joe Sandbox ML: detected

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

Contains functionality for read data from the clipboard

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D6FDFE0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

Potential key logger detected (key state polling based)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D7227B9

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70FD00	4_2_6D70FD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FBDC0	4_2_6D6FBDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C69	4_2_6D6E7C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C75	4_2_6D6E7C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73EC55	4_2_6D73EC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DCC20	4_2_6D6DCC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CE1	4_2_6D6E7CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CB6	4_2_6D6E7CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9F10	4_2_6D6E9F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D710FF0	4_2_6D710FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90	4_2_6D715F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7E34	4_2_6D6E7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71DEF0	4_2_6D71DEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0	4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7959	4_2_6D6E7959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72C900	4_2_6D72C900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DA9D0	4_2_6D6DA9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705850	4_2_6D705850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72A8D0	4_2_6D72A8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0	4_2_6D70D8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F08B0	4_2_6D6F08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FB20	4_2_6D73FB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70CBF0	4_2_6D70CBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D741BCE	4_2_6D741BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7A74	4_2_6D6E7A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FA50	4_2_6D73FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DDAF0	4_2_6D6DDAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705AB0	4_2_6D705AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D704AB0	4_2_6D704AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D700560	4_2_6D700560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D742549	4_2_6D742549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D713500	4_2_6D713500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E75E9	4_2_6D6E75E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71E5C0	4_2_6D71E5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70A580	4_2_6D70A580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FC460	4_2_6D6FC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70C420	4_2_6D70C420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED490	4_2_6D6ED490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FF490	4_2_6D6FF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D74048B	4_2_6D74048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D722760	4_2_6D722760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED700	4_2_6D6ED700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9700	4_2_6D6E9700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7217F0	4_2_6D7217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9	4_2_6D7227B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7197A0	4_2_6D7197A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E767E	4_2_6D6E767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E763E	4_2_6D6E763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FA6C0	4_2_6D6FA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70F160	4_2_6D70F160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E21D0	4_2_6D6E21D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA070	4_2_6D6EA070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73B002	4_2_6D73B002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DD370	4_2_6D6DD370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7053F0	4_2_6D7053F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7123B0	4_2_6D7123B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71A3A0	4_2_6D71A3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA260	4_2_6D6EA260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D701240	4_2_6D701240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E72E0	4_2_6D6E72E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7312A1	4_2_6D7312A1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E1E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E0DC0 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D725970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6DB6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D70FBC0 appears 36 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@1/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6DCC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D6DCC20

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b54a455-673e-4122-a563-0413c629bfff

Source: main.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: main.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Source: main.dll	ReversingLabs: Detection: 47%
Source: main.dll	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\main.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: main.dll

Static file information: File size 4952064 > 1048576

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: main.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D7184DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D6F8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EE990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EEAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D70D956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72545E push ecx; ret	4_2_6D725471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Checks if the current process is being debugged

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6D1920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D6D1920

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D725853

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D738D9A GetProcessHeap,

4_2_6D738D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D724EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D724EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D725853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D728776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D728776

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1