Windows Analysis Report IGidwJjoUs

Overview

General Information

Sample Name: IGidwJjoUs (renamed file extension from none to dll)
Analysis ID: 532314
MD5: daf0060326338fd3d153248ca89b40e5
SHA1: b11244a64678d1e8280b7daf273cb0563ee51803
SHA256: e9f7e82f30ad5350adb0ad37ac11bc26ae7f3b0879fe33e2a23c97f158c85780
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: IGidwJjoUs.dll Virustotal: Detection: 18% Perma Link
Source: IGidwJjoUs.dll ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: IGidwJjoUs.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknown HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: IGidwJjoUs.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: aUojrXoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.954537444.0000000000492000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944524592.0000000000DEA000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.962626767.00000000048D5000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.962922934.00000000048D5000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C0927 FindFirstFileExW, 0_2_6E7C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7C0927 FindFirstFileExW, 2_2_6E7C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE2C8 FindFirstFileW, 23_2_00ECE2C8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.63.5.129 187 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh HTTP/1.1Cookie: HR=hcy/hRyH9NLoEyk6a7Uz59hOb7mzlO/wmgmuw+U+8hB3e4M76BBMZiQXdzL+rOvzb1yL3LfyOSim45PynOuCpUIZnQ5cZmHqs7SQt9O7zwz4xkXcg6/oRkU7EE5sPE10xFi1y7VDx9Ov7ygmxpemyuKnLT/gv0JB9m9mcmPDhKiVbEhBpBiGTYaZoGTSg6tFd1fI6MMeVezZeVD7pkX8i8U0SqwAVpQnS4Y1xB1iegh6pXp4tFE7gJs9t6T5v6aI71n7DxNMxlhyB7kHYd2tzisWwB/rDwKlrXgJBvRGWdLzEoTJug==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.1157497409.0000015108B8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1156938699.0000015108B97000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.1157497409.0000015108B8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1157345476.0000015108B84000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1156938699.0000015108B97000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: WerFault.exe, 00000014.00000002.988862312.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.986850979.0000000004911000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1175308900.0000015108B0D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1160420267.0000015108B0C000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001F.00000002.1175003928.00000151084EB000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.17.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001F.00000003.1150795758.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1150829061.0000015108BD0000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001F.00000003.1153314663.0000015108B7E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153380650.0000015109002000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153337846.0000015108B8F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.1153407395.0000015108B7E000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB3394 InternetReadFile, 23_2_00EB3394
Source: global traffic HTTP traffic detected: GET /vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh HTTP/1.1Cookie: HR=hcy/hRyH9NLoEyk6a7Uz59hOb7mzlO/wmgmuw+U+8hB3e4M76BBMZiQXdzL+rOvzb1yL3LfyOSim45PynOuCpUIZnQ5cZmHqs7SQt9O7zwz4xkXcg6/oRkU7EE5sPE10xFi1y7VDx9Ov7ygmxpemyuKnLT/gv0JB9m9mcmPDhKiVbEhBpBiGTYaZoGTSg6tFd1fI6MMeVezZeVD7pkX8i8U0SqwAVpQnS4Y1xB1iegh6pXp4tFE7gJs9t6T5v6aI71n7DxNMxlhyB7kHYd2tzisWwB/rDwKlrXgJBvRGWdLzEoTJug==Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.4:49794 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.dd3740.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.dd3740.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.a02240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10e34a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.a02240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.972240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.972240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10e34a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913622906.00000000010CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.958778791.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939371192.000000000095A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1030937060.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.989427479.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.930427759.00000000009EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.940009942.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.939031365.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.956978658.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: IGidwJjoUs.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Cwisdx\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A9F10 0_2_6E7A9F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A77B4 0_2_6E7A77B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7AD530 0_2_6E7AD530
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A1DE0 0_2_6E7A1DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A3A90 0_2_6E7A3A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BE3A1 0_2_6E7BE3A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7B0380 0_2_6E7B0380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A6070 0_2_6E7A6070
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7B10C0 0_2_6E7B10C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A68B0 0_2_6E7A68B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7AA890 0_2_6E7AA890
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7AE890 0_2_6E7AE890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A9F10 2_2_6E7A9F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A77B4 2_2_6E7A77B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7AD530 2_2_6E7AD530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A1DE0 2_2_6E7A1DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A3A90 2_2_6E7A3A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7BE3A1 2_2_6E7BE3A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7B0380 2_2_6E7B0380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A6070 2_2_6E7A6070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7B10C0 2_2_6E7B10C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7A68B0 2_2_6E7A68B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7AA890 2_2_6E7AA890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7AE890 2_2_6E7AE890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103EA55 3_2_0103EA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01041291 3_2_01041291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103970A 3_2_0103970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103E10A 3_2_0103E10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103590E 3_2_0103590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01033D0C 3_2_01033D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103BF0C 3_2_0103BF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102CB13 3_2_0102CB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01024D1E 3_2_01024D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01039124 3_2_01039124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102A92F 3_2_0102A92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103CD35 3_2_0103CD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102F73B 3_2_0102F73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01036540 3_2_01036540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102BD61 3_2_0102BD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102CF6E 3_2_0102CF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01040370 3_2_01040370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01033782 3_2_01033782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01028D80 3_2_01028D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01024B81 3_2_01024B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103DB87 3_2_0103DB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102358B 3_2_0102358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01031591 3_2_01031591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102B191 3_2_0102B191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01027795 3_2_01027795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010389A2 3_2_010389A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103E5A7 3_2_0103E5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103DDA5 3_2_0103DDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01030BA4 3_2_01030BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103E3B5 3_2_0103E3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010385B8 3_2_010385B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010243BE 3_2_010243BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010259BF 3_2_010259BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103D7BE 3_2_0103D7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010219C0 3_2_010219C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010275D2 3_2_010275D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102A3E7 3_2_0102A3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103EDED 3_2_0103EDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010251EC 3_2_010251EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103C205 3_2_0103C205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102800A 3_2_0102800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0104261E 3_2_0104261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01029824 3_2_01029824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01023228 3_2_01023228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103282D 3_2_0103282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01023432 3_2_01023432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102243F 3_2_0102243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01033043 3_2_01033043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102AE43 3_2_0102AE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01037445 3_2_01037445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102AA4E 3_2_0102AA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102544C 3_2_0102544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01026453 3_2_01026453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102CE5A 3_2_0102CE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102EE60 3_2_0102EE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102B464 3_2_0102B464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01026869 3_2_01026869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01023A6C 3_2_01023A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103B677 3_2_0103B677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102FA78 3_2_0102FA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102387F 3_2_0102387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102A083 3_2_0102A083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102F48A 3_2_0102F48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01030A93 3_2_01030A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103CE90 3_2_0103CE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01030E97 3_2_01030E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103A29B 3_2_0103A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103009A 3_2_0103009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0103E899 3_2_0103E899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102FE9D 3_2_0102FE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01022CC2 3_2_01022CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010292C1 3_2_010292C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010420CE 3_2_010420CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010310CD 3_2_010310CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010352D1 3_2_010352D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010290D4 3_2_010290D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010328D5 3_2_010328D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01041CDB 3_2_01041CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0102C0EA 3_2_0102C0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010356E9 3_2_010356E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010284F0 3_2_010284F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010362F5 3_2_010362F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01034CF5 3_2_01034CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010246FA 3_2_010246FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01021EFB 3_2_01021EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010340FE 3_2_010340FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CEA55 6_2_003CEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003D1291 6_2_003D1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B243F 6_2_003B243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B3432 6_2_003B3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C282D 6_2_003C282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B3228 6_2_003B3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B9824 6_2_003B9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003D261E 6_2_003D261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B800A 6_2_003B800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CC205 6_2_003CC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BFA78 6_2_003BFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B387F 6_2_003B387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CB677 6_2_003CB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B6869 6_2_003B6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B3A6C 6_2_003B3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BEE60 6_2_003BEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BB464 6_2_003BB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BCE5A 6_2_003BCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B6453 6_2_003B6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BAA4E 6_2_003BAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B544C 6_2_003B544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BAE43 6_2_003BAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C7445 6_2_003C7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C3043 6_2_003C3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CE899 6_2_003CE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BFE9D 6_2_003BFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C009A 6_2_003C009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CA29B 6_2_003CA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C0E97 6_2_003C0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CCE90 6_2_003CCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C0A93 6_2_003C0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BF48A 6_2_003BF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BA083 6_2_003BA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B1EFB 6_2_003B1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B46FA 6_2_003B46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C40FE 6_2_003C40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C62F5 6_2_003C62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C4CF5 6_2_003C4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B84F0 6_2_003B84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BC0EA 6_2_003BC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C56E9 6_2_003C56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003D1CDB 6_2_003D1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C28D5 6_2_003C28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C52D1 6_2_003C52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B90D4 6_2_003B90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C10CD 6_2_003C10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003D20CE 6_2_003D20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B2CC2 6_2_003B2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B92C1 6_2_003B92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BF73B 6_2_003BF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CCD35 6_2_003CCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BA92F 6_2_003BA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C9124 6_2_003C9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B4D1E 6_2_003B4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BCB13 6_2_003BCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C3D0C 6_2_003C3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CBF0C 6_2_003CBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C590E 6_2_003C590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C970A 6_2_003C970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CE10A 6_2_003CE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003D0370 6_2_003D0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BCF6E 6_2_003BCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BBD61 6_2_003BBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C6540 6_2_003C6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CD7BE 6_2_003CD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C85B8 6_2_003C85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B59BF 6_2_003B59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B43BE 6_2_003B43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CE3B5 6_2_003CE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C0BA4 6_2_003C0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CDDA5 6_2_003CDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CE5A7 6_2_003CE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C89A2 6_2_003C89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BB191 6_2_003BB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C1591 6_2_003C1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B7795 6_2_003B7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B358B 6_2_003B358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B4B81 6_2_003B4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CDB87 6_2_003CDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B8D80 6_2_003B8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C3782 6_2_003C3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003CEDED 6_2_003CEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B51EC 6_2_003B51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003BA3E7 6_2_003BA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B75D2 6_2_003B75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B19C0 6_2_003B19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DEA55 7_2_005DEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005E1291 7_2_005E1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CCE5A 7_2_005CCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C6453 7_2_005C6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C544C 7_2_005C544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CAA4E 7_2_005CAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D7445 7_2_005D7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D3043 7_2_005D3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CAE43 7_2_005CAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C387F 7_2_005C387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CFA78 7_2_005CFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DB677 7_2_005DB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C3A6C 7_2_005C3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C6869 7_2_005C6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CB464 7_2_005CB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CEE60 7_2_005CEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005E261E 7_2_005E261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C800A 7_2_005C800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DC205 7_2_005DC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C243F 7_2_005C243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C3432 7_2_005C3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D282D 7_2_005D282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C3228 7_2_005C3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C9824 7_2_005C9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005E1CDB 7_2_005E1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C90D4 7_2_005C90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D28D5 7_2_005D28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D52D1 7_2_005D52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005E20CE 7_2_005E20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D10CD 7_2_005D10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C92C1 7_2_005C92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C2CC2 7_2_005C2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D40FE 7_2_005D40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C46FA 7_2_005C46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C1EFB 7_2_005C1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D62F5 7_2_005D62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D4CF5 7_2_005D4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C84F0 7_2_005C84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D56E9 7_2_005D56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CC0EA 7_2_005CC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CFE9D 7_2_005CFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DE899 7_2_005DE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DA29B 7_2_005DA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D009A 7_2_005D009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D0E97 7_2_005D0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DCE90 7_2_005DCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D0A93 7_2_005D0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CF48A 7_2_005CF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CA083 7_2_005CA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D6540 7_2_005D6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005E0370 7_2_005E0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CCF6E 7_2_005CCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CBD61 7_2_005CBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C4D1E 7_2_005C4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CCB13 7_2_005CCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D3D0C 7_2_005D3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DBF0C 7_2_005DBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D590E 7_2_005D590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D970A 7_2_005D970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DE10A 7_2_005DE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CF73B 7_2_005CF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DCD35 7_2_005DCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CA92F 7_2_005CA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D9124 7_2_005D9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C75D2 7_2_005C75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C19C0 7_2_005C19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DEDED 7_2_005DEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C51EC 7_2_005C51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CA3E7 7_2_005CA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C7795 7_2_005C7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D1591 7_2_005D1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005CB191 7_2_005CB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C358B 7_2_005C358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DDB87 7_2_005DDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C8D80 7_2_005C8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C4B81 7_2_005C4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D3782 7_2_005D3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C43BE 7_2_005C43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C59BF 7_2_005C59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DD7BE 7_2_005DD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D85B8 7_2_005D85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DE3B5 7_2_005DE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DDDA5 7_2_005DDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D0BA4 7_2_005D0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005DE5A7 7_2_005DE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D89A2 7_2_005D89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CEA55 12_2_010CEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010D1291 12_2_010D1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C3D0C 12_2_010C3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CBF0C 12_2_010CBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C590E 12_2_010C590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C970A 12_2_010C970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CE10A 12_2_010CE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B4D1E 12_2_010B4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BCB13 12_2_010BCB13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BA92F 12_2_010BA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C9124 12_2_010C9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BF73B 12_2_010BF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CCD35 12_2_010CCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C6540 12_2_010C6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BCF6E 12_2_010BCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BBD61 12_2_010BBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010D0370 12_2_010D0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B358B 12_2_010B358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B4B81 12_2_010B4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CDB87 12_2_010CDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B8D80 12_2_010B8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C3782 12_2_010C3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BB191 12_2_010BB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C1591 12_2_010C1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B7795 12_2_010B7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C0BA4 12_2_010C0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CDDA5 12_2_010CDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CE5A7 12_2_010CE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C89A2 12_2_010C89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CD7BE 12_2_010CD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C85B8 12_2_010C85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B59BF 12_2_010B59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B43BE 12_2_010B43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CE3B5 12_2_010CE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B19C0 12_2_010B19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B75D2 12_2_010B75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CEDED 12_2_010CEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B51EC 12_2_010B51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BA3E7 12_2_010BA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B800A 12_2_010B800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CC205 12_2_010CC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010D261E 12_2_010D261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C282D 12_2_010C282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B3228 12_2_010B3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B9824 12_2_010B9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B243F 12_2_010B243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B3432 12_2_010B3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BAA4E 12_2_010BAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B544C 12_2_010B544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BAE43 12_2_010BAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C7445 12_2_010C7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C3043 12_2_010C3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BCE5A 12_2_010BCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B6453 12_2_010B6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B6869 12_2_010B6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B3A6C 12_2_010B3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BEE60 12_2_010BEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BB464 12_2_010BB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BFA78 12_2_010BFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B387F 12_2_010B387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CB677 12_2_010CB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BF48A 12_2_010BF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BA083 12_2_010BA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CE899 12_2_010CE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BFE9D 12_2_010BFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C009A 12_2_010C009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CA29B 12_2_010CA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C0E97 12_2_010C0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010CCE90 12_2_010CCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C0A93 12_2_010C0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C10CD 12_2_010C10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010D20CE 12_2_010D20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B2CC2 12_2_010B2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B92C1 12_2_010B92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010D1CDB 12_2_010D1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C28D5 12_2_010C28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C52D1 12_2_010C52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B90D4 12_2_010B90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010BC0EA 12_2_010BC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C56E9 12_2_010C56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B1EFB 12_2_010B1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B46FA 12_2_010B46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C40FE 12_2_010C40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C62F5 12_2_010C62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C4CF5 12_2_010C4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B84F0 12_2_010B84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC10CD 23_2_00EC10CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED20CE 23_2_00ED20CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB2CC2 23_2_00EB2CC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC28D5 23_2_00EC28D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBF48A 23_2_00EBF48A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC009A 23_2_00EC009A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECA29B 23_2_00ECA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED1291 23_2_00ED1291
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECCE90 23_2_00ECCE90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBEE60 23_2_00EBEE60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBAA4E 23_2_00EBAA4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBAE43 23_2_00EBAE43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC7445 23_2_00EC7445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB9824 23_2_00EB9824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECEDED 23_2_00ECEDED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC89A2 23_2_00EC89A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB4B81 23_2_00EB4B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC3782 23_2_00EC3782
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBCF6E 23_2_00EBCF6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED0370 23_2_00ED0370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBF73B 23_2_00EBF73B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC3D0C 23_2_00EC3D0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECBF0C 23_2_00ECBF0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBC0EA 23_2_00EBC0EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC56E9 23_2_00EC56E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB40E2 23_2_00EB40E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB1EFB 23_2_00EB1EFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB46FA 23_2_00EB46FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC40FE 23_2_00EC40FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC62F5 23_2_00EC62F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC4CF5 23_2_00EC4CF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB84F0 23_2_00EB84F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB92C1 23_2_00EB92C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED1CDB 23_2_00ED1CDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC52D1 23_2_00EC52D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB90D4 23_2_00EB90D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBA083 23_2_00EBA083
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE899 23_2_00ECE899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBFE9D 23_2_00EBFE9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC0E97 23_2_00EC0E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC0A93 23_2_00EC0A93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB6869 23_2_00EB6869
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB3A6C 23_2_00EB3A6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBB464 23_2_00EBB464
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBFA78 23_2_00EBFA78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB387F 23_2_00EB387F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECB677 23_2_00ECB677
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB544C 23_2_00EB544C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC3043 23_2_00EC3043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBCE5A 23_2_00EBCE5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB6453 23_2_00EB6453
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECEA55 23_2_00ECEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC282D 23_2_00EC282D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB3228 23_2_00EB3228
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB243F 23_2_00EB243F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB3432 23_2_00EB3432
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB800A 23_2_00EB800A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECC205 23_2_00ECC205
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED261E 23_2_00ED261E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB51EC 23_2_00EB51EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBA3E7 23_2_00EBA3E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB19C0 23_2_00EB19C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB75D2 23_2_00EB75D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC0BA4 23_2_00EC0BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECDDA5 23_2_00ECDDA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE5A7 23_2_00ECE5A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECD7BE 23_2_00ECD7BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC85B8 23_2_00EC85B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB59BF 23_2_00EB59BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB43BE 23_2_00EB43BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE3B5 23_2_00ECE3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB358B 23_2_00EB358B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECDB87 23_2_00ECDB87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB8D80 23_2_00EB8D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBB191 23_2_00EBB191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC1591 23_2_00EC1591
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB7795 23_2_00EB7795
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBBD61 23_2_00EBBD61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC6540 23_2_00EC6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBA92F 23_2_00EBA92F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC9124 23_2_00EC9124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECCD35 23_2_00ECCD35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC590E 23_2_00EC590E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC970A 23_2_00EC970A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE10A 23_2_00ECE10A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB4D1E 23_2_00EB4D1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EBCB13 23_2_00EBCB13
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E7BAC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E7A1DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7BAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7A1DE0 appears 97 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: IGidwJjoUs.dll Virustotal: Detection: 18%
Source: IGidwJjoUs.dll ReversingLabs: Detection: 17%
Source: IGidwJjoUs.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd",czAZWAgsaZPj Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cwisdx\vimpwfmepmyc.nyd",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER42EA.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@36/14@0/2
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ED1B99 CreateToolhelp32Snapshot, 23_2_00ED1B99
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6596:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6948:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: IGidwJjoUs.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: IGidwJjoUs.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: aUojrXoCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.954537444.0000000000492000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944524592.0000000000DEA000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.944963869.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944733553.0000000000897000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944575719.0000000000897000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.944571126.0000000000891000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.944726193.0000000000891000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000003.962626767.00000000048D5000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.962922934.00000000048D5000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.946657846.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.966528838.0000000004CD1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.944564783.000000000088B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.945060966.000000000088B000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C6A93 push ecx; ret 0_2_6E7C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7C6A93 push ecx; ret 2_2_6E7C6AA6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010213E7 push esi; retf 3_2_010213F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003B13E7 push esi; retf 6_2_003B13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005C13E7 push esi; retf 7_2_005C13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010B13E7 push esi; retf 12_2_010B13F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EB13E7 push esi; retf 23_2_00EB13F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E7AE690

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cwisdx\vimpwfmepmyc.nyd:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 2460 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C0927 FindFirstFileExW, 0_2_6E7C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7C0927 FindFirstFileExW, 2_2_6E7C0927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00ECE2C8 FindFirstFileW, 23_2_00ECE2C8
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.17.dr Binary or memory string: VMware
Source: Amcache.hve.17.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.17.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.17.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000014.00000003.986775578.00000000048FB000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.988850293.00000000048FE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.988815498.00000000048D0000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1174922898.00000151084D2000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1174714591.0000015108489000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.1175003928.00000151084EB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E7C0326
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7AE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 0_2_6E7AE690
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7A1290 GetProcessHeap,HeapAlloc,HeapFree, 0_2_6E7A1290
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7B9990 mov eax, dword ptr fs:[00000030h] 0_2_6E7B9990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BEC0B mov ecx, dword ptr fs:[00000030h] 0_2_6E7BEC0B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C02CC mov eax, dword ptr fs:[00000030h] 0_2_6E7C02CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7B9920 mov esi, dword ptr fs:[00000030h] 0_2_6E7B9920
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7B9920 mov eax, dword ptr fs:[00000030h] 0_2_6E7B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7B9990 mov eax, dword ptr fs:[00000030h] 2_2_6E7B9990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7BEC0B mov ecx, dword ptr fs:[00000030h] 2_2_6E7BEC0B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7C02CC mov eax, dword ptr fs:[00000030h] 2_2_6E7C02CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7B9920 mov esi, dword ptr fs:[00000030h] 2_2_6E7B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7B9920 mov eax, dword ptr fs:[00000030h] 2_2_6E7B9920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010307D2 mov eax, dword ptr fs:[00000030h] 3_2_010307D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_003C07D2 mov eax, dword ptr fs:[00000030h] 6_2_003C07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_005D07D2 mov eax, dword ptr fs:[00000030h] 7_2_005D07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_010C07D2 mov eax, dword ptr fs:[00000030h] 12_2_010C07D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 23_2_00EC07D2 mov eax, dword ptr fs:[00000030h] 23_2_00EC07D2
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E7BA462
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E7C0326
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E7BAB0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7BA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E7BA462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7C0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E7C0326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7BAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E7BAB0C

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.63.5.129 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6888 -ip 6888 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6888 -ip 6888 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 304 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.958967461.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.957163784.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.939113865.0000000001770000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.940086206.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.1185190253.00000000036C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BA584 cpuid 0_2_6E7BA584
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7BA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E7BA755

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.17.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 12.2.rundll32.exe.10b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.dd3740.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.eb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.dd3740.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.a02240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10e34a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.rundll32.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1203908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.a02240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.1170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.972240.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.972240.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10e34a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1170000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.1203908.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.913568790.0000000001020000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.939956990.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.930364249.00000000003B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913622906.00000000010CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.958610660.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.958778791.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939332319.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.939371192.000000000095A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1030937060.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.989427479.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.930427759.00000000009EA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.904116541.00000000006AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1031053353.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.989393299.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.1139622922.0000000000FAB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.914845954.0000000000540000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.940009942.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.956837036.0000000001170000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.939031365.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1183917294.0000000000EB0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.956978658.00000000011EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.938967752.0000000001170000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532314 Sample: IGidwJjoUs Startdate: 02/12/2021 Architecture: WINDOWS Score: 84 50 Sigma detected: Emotet RunDLL32 Process Creation 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Emotet 2->54 8 loaddll32.exe 1 2->8         started        10 svchost.exe 3 8 2->10         started        12 svchost.exe 2->12         started        15 3 other processes 2->15 process3 dnsIp4 17 rundll32.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        28 3 other processes 8->28 24 WerFault.exe 10->24         started        26 WerFault.exe 10->26         started        46 192.168.2.1 unknown unknown 12->46 process5 signatures6 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 30 rundll32.exe 17->30         started        32 rundll32.exe 20->32         started        34 rundll32.exe 22->34         started        36 rundll32.exe 28->36         started        process7 process8 38 rundll32.exe 30->38         started        42 rundll32.exe 32->42         started        dnsIp9 44 45.63.5.129, 443, 49794 AS-CHOOPAUS United States 38->44 56 System process connects to network (likely due to code injection or exploit) 38->56 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.63.5.129
 unknown United States
20473 AS-CHOOPAUS true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://45.63.5.129/vIcMmPpXrabVVBXOJgaOKuPeOcCKPXUIh true
  • Avira URL Cloud: safe
 unknown