Windows Analysis Report IGidwJjoUs.dll

Overview

General Information

Sample Name:	IGidwJjoUs.dll
Analysis ID:	532314
MD5:	daf0060326338fd3d153248ca89b40e5
SHA1:	b11244a64678d1e8280b7daf273cb0563ee51803
SHA256:	e9f7e82f30ad5350adb0ad37ac11bc26ae7f3b0879fe33e2a23c97f158c85780
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: IGidwJjoUs.dll	Virustotal: Detection: 18%			Perma Link
Source: IGidwJjoUs.dll	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: IGidwJjoUs.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: IGidwJjoUs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.542105477.0000000004707000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.550946257.0000000000712000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40927 FindFirstFileExW,		0_2_6EE40927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40927 FindFirstFileExW,		2_2_6EE40927

Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586164853.0000000004822000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.584470367.0000000004822000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.443620520.000001EFA2E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.635879390.00000242C7229000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.635879390.00000242C7229000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.417424737.000001EFA2E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.417403322.000001EFA2E64000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.464318876.000001EFA2E65000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417479040.000001EFA2E45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417461490.000001EFA2E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.460132163.000001EFA2E4C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.417419677.000001EFA2E5F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.463414413.000001EFA2E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.417424737.000001EFA2E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.464318876.000001EFA2E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.463414413.000001EFA2E60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.417470491.000001EFA2E3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.456715120.000001EFA2E40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417470491.000001EFA2E3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417479040.000001EFA2E45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417461490.000001EFA2E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.460132163.000001EFA2E4C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.495947216.000000000343A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554615326.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536076698.00000000006E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.536378557.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553224532.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.537869940.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627627786.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.533240678.0000000000F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627859326.00000000007BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553425697.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586675822.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536480862.00000000009AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.487102902.000000000327C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534996717.000000000325A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586734813.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554273398.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497144538.0000000000F00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.535907567.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.538443258.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.496002665.0000000004D10000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: IGidwJjoUs.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Zataohhmydsvookq\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01071291	0_2_01071291
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106590E	0_2_0106590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063D0C	0_2_01063D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106BF0C	0_2_0106BF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106970A	0_2_0106970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E10A	0_2_0106E10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CB13	0_2_0105CB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054D1E	0_2_01054D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01069124	0_2_01069124
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A92F	0_2_0105A92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106CD35	0_2_0106CD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F73B	0_2_0105F73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01066540	0_2_01066540
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105BD61	0_2_0105BD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CF6E	0_2_0105CF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01070370	0_2_01070370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106DB87	0_2_0106DB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054B81	0_2_01054B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063782	0_2_01063782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01058D80	0_2_01058D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105358B	0_2_0105358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01057795	0_2_01057795
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B191	0_2_0105B191
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01061591	0_2_01061591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E5A7	0_2_0106E5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060BA4	0_2_01060BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106DDA5	0_2_0106DDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010689A2	0_2_010689A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E3B5	0_2_0106E3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106D7BE	0_2_0106D7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010559BF	0_2_010559BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010543BE	0_2_010543BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010685B8	0_2_010685B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010519C0	0_2_010519C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010575D2	0_2_010575D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A3E7	0_2_0105A3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010551EC	0_2_010551EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106EDED	0_2_0106EDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106C205	0_2_0106C205
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105800A	0_2_0105800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0107261E	0_2_0107261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01059824	0_2_01059824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106282D	0_2_0106282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053228	0_2_01053228
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053432	0_2_01053432
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105243F	0_2_0105243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01067445	0_2_01067445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063043	0_2_01063043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AE43	0_2_0105AE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105544C	0_2_0105544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AA4E	0_2_0105AA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106EA55	0_2_0106EA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01056453	0_2_01056453
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CE5A	0_2_0105CE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B464	0_2_0105B464
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105EE60	0_2_0105EE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053A6C	0_2_01053A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106B677	0_2_0106B677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105387F	0_2_0105387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105FA78	0_2_0105FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A083	0_2_0105A083
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F48A	0_2_0105F48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060E97	0_2_01060E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060A93	0_2_01060A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106CE90	0_2_0106CE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105FE9D	0_2_0105FE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106009A	0_2_0106009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106A29B	0_2_0106A29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E899	0_2_0106E899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010592C1	0_2_010592C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01052CC2	0_2_01052CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010720CE	0_2_010720CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010610CD	0_2_010610CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010590D4	0_2_010590D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010628D5	0_2_010628D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010652D1	0_2_010652D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01071CDB	0_2_01071CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010540E2	0_2_010540E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105C0EA	0_2_0105C0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010656E9	0_2_010656E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010662F5	0_2_010662F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01064CF5	0_2_01064CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010584F0	0_2_010584F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010640FE	0_2_010640FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01051EFB	0_2_01051EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010546FA	0_2_010546FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE277B4	0_2_6EE277B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE29F10	0_2_6EE29F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE21DE0	0_2_6EE21DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2D530	0_2_6EE2D530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE23A90	0_2_6EE23A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3E3A1	0_2_6EE3E3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE30380	0_2_6EE30380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE310C0	0_2_6EE310C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE268B0	0_2_6EE268B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2A890	0_2_6EE2A890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2E890	0_2_6EE2E890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE26070	0_2_6EE26070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE277B4	2_2_6EE277B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE29F10	2_2_6EE29F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE21DE0	2_2_6EE21DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2D530	2_2_6EE2D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE23A90	2_2_6EE23A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3E3A1	2_2_6EE3E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE30380	2_2_6EE30380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE310C0	2_2_6EE310C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE268B0	2_2_6EE268B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2A890	2_2_6EE2A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2E890	2_2_6EE2E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE26070	2_2_6EE26070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D31291	3_2_04D31291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2EA55	3_2_04D2EA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D252D1	3_2_04D252D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D190D4	3_2_04D190D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D228D5	3_2_04D228D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D31CDB	3_2_04D31CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D192C1	3_2_04D192C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D12CC2	3_2_04D12CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D320CE	3_2_04D320CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D210CD	3_2_04D210CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D184F0	3_2_04D184F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D262F5	3_2_04D262F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D24CF5	3_2_04D24CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D11EFB	3_2_04D11EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D146FA	3_2_04D146FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D240FE	3_2_04D240FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D140E2	3_2_04D140E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1C0EA	3_2_04D1C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D256E9	3_2_04D256E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20A93	3_2_04D20A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2CE90	3_2_04D2CE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20E97	3_2_04D20E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2009A	3_2_04D2009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2A29B	3_2_04D2A29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E899	3_2_04D2E899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1FE9D	3_2_04D1FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A083	3_2_04D1A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1F48A	3_2_04D1F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D16453	3_2_04D16453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CE5A	3_2_04D1CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23043	3_2_04D23043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1AE43	3_2_04D1AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D27445	3_2_04D27445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1544C	3_2_04D1544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1AA4E	3_2_04D1AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2B677	3_2_04D2B677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1FA78	3_2_04D1FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1387F	3_2_04D1387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1EE60	3_2_04D1EE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1B464	3_2_04D1B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13A6C	3_2_04D13A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D3261E	3_2_04D3261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2C205	3_2_04D2C205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1800A	3_2_04D1800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13432	3_2_04D13432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1243F	3_2_04D1243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D19824	3_2_04D19824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13228	3_2_04D13228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2282D	3_2_04D2282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D175D2	3_2_04D175D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D119C0	3_2_04D119C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A3E7	3_2_04D1A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D151EC	3_2_04D151EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2EDED	3_2_04D2EDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1B191	3_2_04D1B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D21591	3_2_04D21591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D17795	3_2_04D17795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D14B81	3_2_04D14B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23782	3_2_04D23782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D18D80	3_2_04D18D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2DB87	3_2_04D2DB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1358B	3_2_04D1358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E3B5	3_2_04D2E3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D285B8	3_2_04D285B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2D7BE	3_2_04D2D7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D159BF	3_2_04D159BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D143BE	3_2_04D143BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D289A2	3_2_04D289A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E5A7	3_2_04D2E5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20BA4	3_2_04D20BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2DDA5	3_2_04D2DDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D26540	3_2_04D26540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D30370	3_2_04D30370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1BD61	3_2_04D1BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CF6E	3_2_04D1CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CB13	3_2_04D1CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D14D1E	3_2_04D14D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2970A	3_2_04D2970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E10A	3_2_04D2E10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2590E	3_2_04D2590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23D0C	3_2_04D23D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2BF0C	3_2_04D2BF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2CD35	3_2_04D2CD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1F73B	3_2_04D1F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D29124	3_2_04D29124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A92F	3_2_04D1A92F

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE21DE0 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE3AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE21DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE3AC90 appears 33 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: IGidwJjoUs.dll	Virustotal: Detection: 18%
Source: IGidwJjoUs.dll	ReversingLabs: Detection: 17%

Source: IGidwJjoUs.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef",FwwsJBocT
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zataohhmydsvookq\ujdgr.cef",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef",FwwsJBocT	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zataohhmydsvookq\ujdgr.cef",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER247C.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@43/21@0/1

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2888
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4464:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4540:64:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: IGidwJjoUs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: IGidwJjoUs.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.542105477.0000000004707000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.550946257.0000000000712000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010513E7 push esi; retf	0_2_010513F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE46A93 push ecx; ret	0_2_6EE46AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE46A93 push ecx; ret	2_2_6EE46AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D113E7 push esi; retf	3_2_04D113F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE2E690

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6204	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40927 FindFirstFileExW,		0_2_6EE40927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40927 FindFirstFileExW,		2_2_6EE40927

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000005.00000002.572038437.000001E606457000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586152373.000000000480E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586113003.00000000047E0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.584501682.000000000480C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.me
Source: svchost.exe, 00000005.00000002.569655990.000001E600E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]F
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.636503320.000002110C829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EE40326

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE2E690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE21290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6EE21290

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010607D2 mov eax, dword ptr fs:[00000030h]	0_2_010607D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39990 mov eax, dword ptr fs:[00000030h]	0_2_6EE39990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3EC0B mov ecx, dword ptr fs:[00000030h]	0_2_6EE3EC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE402CC mov eax, dword ptr fs:[00000030h]	0_2_6EE402CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39920 mov esi, dword ptr fs:[00000030h]	0_2_6EE39920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39920 mov eax, dword ptr fs:[00000030h]	0_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39990 mov eax, dword ptr fs:[00000030h]	2_2_6EE39990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3EC0B mov ecx, dword ptr fs:[00000030h]	2_2_6EE3EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE402CC mov eax, dword ptr fs:[00000030h]	2_2_6EE402CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39920 mov esi, dword ptr fs:[00000030h]	2_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39920 mov eax, dword ptr fs:[00000030h]	2_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D207D2 mov eax, dword ptr fs:[00000030h]	3_2_04D207D2

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0106238F LdrInitializeThunk,

0_2_0106238F

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EE3A462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE40326
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE3AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE3A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE40326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE3AB0C

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE3A584 cpuid

0_2_6EE3A584

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE3A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EE3A755

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.20.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000C.00000002.634853419.000001B515640000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.634806094.000001B515629000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.634922542.000001B515702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.495947216.000000000343A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554615326.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536076698.00000000006E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.536378557.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553224532.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.537869940.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627627786.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.533240678.0000000000F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627859326.00000000007BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553425697.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586675822.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536480862.00000000009AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.487102902.000000000327C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534996717.000000000325A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586734813.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554273398.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497144538.0000000000F00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.535907567.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.538443258.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.496002665.0000000004D10000.00000040.00000010.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

AV Detection:

Multi AV Scanner detection for submitted file

Source: IGidwJjoUs.dll	Virustotal: Detection: 18%			Perma Link
Source: IGidwJjoUs.dll	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: IGidwJjoUs.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: IGidwJjoUs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.542105477.0000000004707000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.550946257.0000000000712000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40927 FindFirstFileExW,		0_2_6EE40927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40927 FindFirstFileExW,		2_2_6EE40927

Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586164853.0000000004822000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.584470367.0000000004822000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.443620520.000001EFA2E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.635879390.00000242C7229000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.635879390.00000242C7229000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.417424737.000001EFA2E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.417403322.000001EFA2E64000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.464318876.000001EFA2E65000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417479040.000001EFA2E45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417461490.000001EFA2E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.460132163.000001EFA2E4C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.417419677.000001EFA2E5F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.463414413.000001EFA2E60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.417424737.000001EFA2E5D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.462341728.000001EFA2E59000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417433888.000001EFA2E58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.464318876.000001EFA2E65000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.463414413.000001EFA2E60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.417415172.000001EFA2E62000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.417470491.000001EFA2E3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.456715120.000001EFA2E40000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.448847243.000001EFA2E29000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417470491.000001EFA2E3D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.369046092.000001EFA2E34000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.417445665.000001EFA2E41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417479040.000001EFA2E45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417461490.000001EFA2E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.460132163.000001EFA2E4C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.495947216.000000000343A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554615326.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536076698.00000000006E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.536378557.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553224532.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.537869940.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627627786.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.533240678.0000000000F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627859326.00000000007BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553425697.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586675822.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536480862.00000000009AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.487102902.000000000327C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534996717.000000000325A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586734813.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554273398.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497144538.0000000000F00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.535907567.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.538443258.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.496002665.0000000004D10000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: IGidwJjoUs.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Zataohhmydsvookq\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01071291	0_2_01071291
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106590E	0_2_0106590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063D0C	0_2_01063D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106BF0C	0_2_0106BF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106970A	0_2_0106970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E10A	0_2_0106E10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CB13	0_2_0105CB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054D1E	0_2_01054D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01069124	0_2_01069124
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A92F	0_2_0105A92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106CD35	0_2_0106CD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F73B	0_2_0105F73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01066540	0_2_01066540
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105BD61	0_2_0105BD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CF6E	0_2_0105CF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01070370	0_2_01070370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106DB87	0_2_0106DB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01054B81	0_2_01054B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063782	0_2_01063782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01058D80	0_2_01058D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105358B	0_2_0105358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01057795	0_2_01057795
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B191	0_2_0105B191
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01061591	0_2_01061591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E5A7	0_2_0106E5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060BA4	0_2_01060BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106DDA5	0_2_0106DDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010689A2	0_2_010689A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E3B5	0_2_0106E3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106D7BE	0_2_0106D7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010559BF	0_2_010559BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010543BE	0_2_010543BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010685B8	0_2_010685B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010519C0	0_2_010519C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010575D2	0_2_010575D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A3E7	0_2_0105A3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010551EC	0_2_010551EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106EDED	0_2_0106EDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106C205	0_2_0106C205
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105800A	0_2_0105800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0107261E	0_2_0107261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01059824	0_2_01059824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106282D	0_2_0106282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053228	0_2_01053228
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053432	0_2_01053432
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105243F	0_2_0105243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01067445	0_2_01067445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01063043	0_2_01063043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AE43	0_2_0105AE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105544C	0_2_0105544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105AA4E	0_2_0105AA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106EA55	0_2_0106EA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01056453	0_2_01056453
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105CE5A	0_2_0105CE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105B464	0_2_0105B464
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105EE60	0_2_0105EE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01053A6C	0_2_01053A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106B677	0_2_0106B677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105387F	0_2_0105387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105FA78	0_2_0105FA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105A083	0_2_0105A083
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105F48A	0_2_0105F48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060E97	0_2_01060E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01060A93	0_2_01060A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106CE90	0_2_0106CE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105FE9D	0_2_0105FE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106009A	0_2_0106009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106A29B	0_2_0106A29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0106E899	0_2_0106E899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010592C1	0_2_010592C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01052CC2	0_2_01052CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010720CE	0_2_010720CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010610CD	0_2_010610CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010590D4	0_2_010590D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010628D5	0_2_010628D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010652D1	0_2_010652D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01071CDB	0_2_01071CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010540E2	0_2_010540E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0105C0EA	0_2_0105C0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010656E9	0_2_010656E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010662F5	0_2_010662F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01064CF5	0_2_01064CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010584F0	0_2_010584F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010640FE	0_2_010640FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01051EFB	0_2_01051EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010546FA	0_2_010546FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE277B4	0_2_6EE277B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE29F10	0_2_6EE29F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE21DE0	0_2_6EE21DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2D530	0_2_6EE2D530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE23A90	0_2_6EE23A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3E3A1	0_2_6EE3E3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE30380	0_2_6EE30380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE310C0	0_2_6EE310C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE268B0	0_2_6EE268B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2A890	0_2_6EE2A890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE2E890	0_2_6EE2E890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE26070	0_2_6EE26070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE277B4	2_2_6EE277B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE29F10	2_2_6EE29F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE21DE0	2_2_6EE21DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2D530	2_2_6EE2D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE23A90	2_2_6EE23A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3E3A1	2_2_6EE3E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE30380	2_2_6EE30380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE310C0	2_2_6EE310C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE268B0	2_2_6EE268B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2A890	2_2_6EE2A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE2E890	2_2_6EE2E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE26070	2_2_6EE26070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D31291	3_2_04D31291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2EA55	3_2_04D2EA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D252D1	3_2_04D252D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D190D4	3_2_04D190D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D228D5	3_2_04D228D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D31CDB	3_2_04D31CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D192C1	3_2_04D192C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D12CC2	3_2_04D12CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D320CE	3_2_04D320CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D210CD	3_2_04D210CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D184F0	3_2_04D184F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D262F5	3_2_04D262F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D24CF5	3_2_04D24CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D11EFB	3_2_04D11EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D146FA	3_2_04D146FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D240FE	3_2_04D240FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D140E2	3_2_04D140E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1C0EA	3_2_04D1C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D256E9	3_2_04D256E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20A93	3_2_04D20A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2CE90	3_2_04D2CE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20E97	3_2_04D20E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2009A	3_2_04D2009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2A29B	3_2_04D2A29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E899	3_2_04D2E899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1FE9D	3_2_04D1FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A083	3_2_04D1A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1F48A	3_2_04D1F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D16453	3_2_04D16453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CE5A	3_2_04D1CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23043	3_2_04D23043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1AE43	3_2_04D1AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D27445	3_2_04D27445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1544C	3_2_04D1544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1AA4E	3_2_04D1AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2B677	3_2_04D2B677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1FA78	3_2_04D1FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1387F	3_2_04D1387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1EE60	3_2_04D1EE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1B464	3_2_04D1B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13A6C	3_2_04D13A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D3261E	3_2_04D3261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2C205	3_2_04D2C205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1800A	3_2_04D1800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13432	3_2_04D13432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1243F	3_2_04D1243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D19824	3_2_04D19824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D13228	3_2_04D13228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2282D	3_2_04D2282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D175D2	3_2_04D175D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D119C0	3_2_04D119C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A3E7	3_2_04D1A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D151EC	3_2_04D151EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2EDED	3_2_04D2EDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1B191	3_2_04D1B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D21591	3_2_04D21591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D17795	3_2_04D17795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D14B81	3_2_04D14B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23782	3_2_04D23782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D18D80	3_2_04D18D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2DB87	3_2_04D2DB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1358B	3_2_04D1358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E3B5	3_2_04D2E3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D285B8	3_2_04D285B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2D7BE	3_2_04D2D7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D159BF	3_2_04D159BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D143BE	3_2_04D143BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D289A2	3_2_04D289A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E5A7	3_2_04D2E5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D20BA4	3_2_04D20BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2DDA5	3_2_04D2DDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D26540	3_2_04D26540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D30370	3_2_04D30370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1BD61	3_2_04D1BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CF6E	3_2_04D1CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1CB13	3_2_04D1CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D14D1E	3_2_04D14D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2970A	3_2_04D2970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2E10A	3_2_04D2E10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2590E	3_2_04D2590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D23D0C	3_2_04D23D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2BF0C	3_2_04D2BF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D2CD35	3_2_04D2CD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1F73B	3_2_04D1F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D29124	3_2_04D29124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D1A92F	3_2_04D1A92F

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE21DE0 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE3AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE21DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE3AC90 appears 33 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: IGidwJjoUs.dll	Virustotal: Detection: 18%
Source: IGidwJjoUs.dll	ReversingLabs: Detection: 17%

Source: IGidwJjoUs.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef",FwwsJBocT
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zataohhmydsvookq\ujdgr.cef",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,ajkaibu	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,akyncbgollmj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef",FwwsJBocT	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Zataohhmydsvookq\ujdgr.cef",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER247C.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@43/21@0/1

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IGidwJjoUs.dll,Control_RunDLL

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2888
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4464:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4540:64:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: IGidwJjoUs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: IGidwJjoUs.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.542105477.0000000004707000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.544237016.0000000004A91000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.567799125.0000000004AD1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000014.00000002.550946257.0000000000712000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000017.00000003.557674651.00000000008FC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.558306553.00000000008FC000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010513E7 push esi; retf	0_2_010513F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE46A93 push ecx; ret	0_2_6EE46AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE46A93 push ecx; ret	2_2_6EE46AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D113E7 push esi; retf	3_2_04D113F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE2E690

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Zataohhmydsvookq\ujdgr.cef:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6204	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40927 FindFirstFileExW,		0_2_6EE40927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40927 FindFirstFileExW,		2_2_6EE40927

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000005.00000002.572072267.000001E606464000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000005.00000002.572038437.000001E606457000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586152373.000000000480E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.586113003.00000000047E0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.584501682.000000000480C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.me
Source: svchost.exe, 00000005.00000002.569655990.000001E600E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]F
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000007.00000002.636267291.00000242C7246000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.636503320.000002110C829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EE40326

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE2E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE2E690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE21290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6EE21290

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010607D2 mov eax, dword ptr fs:[00000030h]	0_2_010607D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39990 mov eax, dword ptr fs:[00000030h]	0_2_6EE39990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3EC0B mov ecx, dword ptr fs:[00000030h]	0_2_6EE3EC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE402CC mov eax, dword ptr fs:[00000030h]	0_2_6EE402CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39920 mov esi, dword ptr fs:[00000030h]	0_2_6EE39920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE39920 mov eax, dword ptr fs:[00000030h]	0_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39990 mov eax, dword ptr fs:[00000030h]	2_2_6EE39990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3EC0B mov ecx, dword ptr fs:[00000030h]	2_2_6EE3EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE402CC mov eax, dword ptr fs:[00000030h]	2_2_6EE402CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39920 mov esi, dword ptr fs:[00000030h]	2_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE39920 mov eax, dword ptr fs:[00000030h]	2_2_6EE39920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04D207D2 mov eax, dword ptr fs:[00000030h]	3_2_04D207D2

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0106238F LdrInitializeThunk,

0_2_0106238F

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EE3A462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE40326
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE3AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE3A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE40326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE40326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE3AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE3AB0C

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IGidwJjoUs.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 316	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2888 -ip 2888	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 324	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.553537966.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.538576415.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.554671591.00000000016E0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.536570538.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 0000001D.00000002.635460068.0000000003080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE3A584 cpuid

0_2_6EE3A584

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE3A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EE3A755

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.20.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000C.00000002.634853419.000001B515640000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.634806094.000001B515629000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.634922542.000001B515702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.32721e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.9c21e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.3453508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1050000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1173618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7d2460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1173618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.495947216.000000000343A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554615326.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536076698.00000000006E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.536378557.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553224532.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.537869940.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627627786.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.533240678.0000000000F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.627859326.00000000007BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.553425697.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586675822.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.536480862.00000000009AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.487102902.000000000327C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534996717.000000000325A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.586734813.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.554273398.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.497144538.0000000000F00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.535907567.0000000001050000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.538443258.000000000116C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.496002665.0000000004D10000.00000040.00000010.sdmp, type: MEMORY

ID:	532314
Product:	CloudBasic
Start time:	01:04:32
Start date:	02.12.2021
Sample:	IGidwJjoUs.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	daf0060326338fd3d153248ca89b40e5
SHA1:	b11244a64678d1e8280b7daf273cb0563ee51803
SHA256:	e9f7e82f30ad5350adb0ad37ac11bc26ae7f3b0879fe33e2a23c97f158c85780
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	1D7C749070A76718EDB705A748225B24	34418F0352D91400DDCA472FE731D1FEE57A98D9	C31EDD64EEB97EBA4914F3362A1B22EE6D054373CEE51633462D4E50375EDF6A
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x65aa9c6a, page size 16384, Windows version 10.0	263CC3300D13EBFB3E11F4E2FC00E3AB	C04212DF955862740F9AF09DE83C6B9AFF3ACBA8	791308D7694CBD313658875490C1259A450140271719A579115E84B0F144F3B3
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	791F708AEDFA55D8084646C8EA2BF2D5	4BBE3A21CBE1369444DDF0CACD45B66144773BF8	F708BD670876184BDAD24686576CD570C75CDF3DAF6503905D29C5A8F1F389E1
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_0544eac9\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A6D0DA876FCAC1E722DB32168A12BC49	E574ECFC6B972211BC53CF5E79859F9C7E25E856	7CDA9CF225E6316CCBF2196A34127188D1D0A60782F86CB61B892B4E23E9A25D
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_113d29f5\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E5397BA905AE60667648C2C29BB90469	0C68884F7E2E081320B76FAC92BF897D0BF1EE13	9190EE0BB0584E39D5775B13A9209EA3F8FBF97BA994B9CAD2199E395CF7AD95
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1277.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	75A2D329370D843C52B3B4231710E1BC	812CBE21C7DAA7F06701389DC5C8B11C29950279	71A271CDC3014F4B5F734A67BC7A2B73F162DF1B6524AA12B21E5DF815679806
C:\ProgramData\Microsoft\Windows\WER\Temp\WER247C.tmp.csv	data	9CF6247D5F8C39964C1D993647678FD1	D33A988398CDA516AB1FC217116412954EB5C6F8	C20B1C089ECCAF8F6899B4294E85A3E9CAC799AA6900DDC6F877640FDCF72769
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2865.tmp.txt	data	F3F608A1DE84107FC3AF740BDF5CAD65	A9091B6A08F72BC248C8E4D32E4ECB126E2D1E84	BCD2445D9DD8CFD94A38B8466C5849F02430283009737AF56BFBC7978BACB9EF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5264.tmp.csv	data	A44253BCA0FA4C66E306BCC2457535A7	FB7D16053992432048E52C8E5D062B7B951B9152	ED3CF6A7C1D24EB47D0A25EE227A7CA373FFB85B1E7917899A3FA0A7EC818AD4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A35.tmp.txt	data	8D98D97BECC0B68E92E82022B901A9CE	F297E1BA0C544BB43AAF041EBA44F3FF4471F036	B3D79C36FBC3790E7DB5EFC6AA38E26E9860098F8DA976B0C5B67907A256CE6C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD94.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	02FA653E3B7FF9EF1D6796762EB77295	573A4EB940EB826B95EE84C29B2D01324E129C8E	B8AC546F0CB99F5380DC9860FAC50535FA5AA7C03539EF757AA7EC1787846D3F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDAA.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 09:07:50 2021, 0x1205a4 type	FE5BD39AB26CDA1804F7F937A1176177	24A15841BACC713D43170C3AA8CB91506EE5CC76	1DE04EAA45370725A9199C5CFA9E64A6D09E094F51F7A81F34BD89C5D27B4CBD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE135.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8E0A6A995B2D956DA93DD39059CB5752	5180E6BD8ED2642E3C4F39036C00095750650F7D	95299B052DF549084F0DE58598398EB067D31C1BCB3A22A0718EA3988C822CD4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4B1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EF9504954F5FBC01AD8AF184205DA2E0	AE2030D98BD2401908FABF9A8C5D965C69674474	C5CD86556983C8354D010911D51E16151A63D12F4F3D9381F40CF0B74DD4E48C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFF.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 09:07:58 2021, 0x1205a4 type	E3EC2015DCAC2E09BAD1E5ADAF32CAC1	2CCEB55290055E82AFC4CFE5D8FAB061289C5DE3	4B3BDCA2BA688BCE27652FC689720AD30BC788FDBA3CA11C14256AEFF8EC2B91
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	F20D42D5300A3200C61317A17DFF3C33	8248C42AA3951053D458CBFFC736928DACB53EA5	C62BB147293301D13842355BD0DCFF6D65656ADDDBD2F0B4FA01C1C4E03306EE
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_090623_120.etl	data	43B55D5108D146B68FD69AAC21C14970	E00EF50AFD4ECCD3EF226676ACF699845DA84F05	0F39740266A2B9068C80326ECABA18BA549FC11FE6285AAB4FBC23CBE4EF4220
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	89ED9A0DFDE794600247CBB8BAFA8FBB	BCF2F0D3C3F95F0EFD9E17C14628B81E00E6AA07	A3D51C5C9258BEB30A73C894C1C553DDAF1DB6CA02B289DE453DD7D093FB9825
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	241B84D689B48DD472F434F5FC25B815	52D593F046E75DBBABB014EB0C33A3B69E432ACA	50F40D9F0CBEF90CA794DAD92E73E15AA0C6CF2CDF0CB05E2E4762EC0937C9F9

Windows Analysis Report IGidwJjoUs.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private