Source: iepdf32.dll |
ReversingLabs: Detection: 28% |
Source: iepdf32.dll |
Virustotal: Detection: 16% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.2% probability |
Source: iepdf32.dll |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL |
Source: iepdf32.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
Source: C:\Windows\SysWOW64\rundll32.exe |
File created: C:\Windows\SysWOW64\wgfvki |
Jump to behavior |
Source: iepdf32.dll |
Static PE information: Number of sections : 11 > 10 |
Source: iepdf32.dll |
Binary or memory string: OriginalFilenamepdfium.dll. vs iepdf32.dll |
Source: iepdf32.dll |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL |
Source: classification engine |
Classification label: mal60.evad.winDLL@12/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03 |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo |
Source: iepdf32.dll |
ReversingLabs: Detection: 28% |
Source: iepdf32.dll |
Virustotal: Detection: 16% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iepdf32.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: iepdf32.dll |
Static PE information: More than 430 > 100 exports found |
Source: iepdf32.dll |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: iepdf32.dll |
Static file information: File size 7314944 > 1048576 |
Source: iepdf32.dll |
Static PE information: Raw size of FRYTYA is bigger than: 0x100000 < 0x6f9000 |
Source: iepdf32.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
Source: initial sample |
Static PE information: section where entry point is pointing to: FRYTYA |
Source: iepdf32.dll |
Static PE information: section name: GAUXUD |
Source: iepdf32.dll |
Static PE information: section name: MPOQPS |
Source: iepdf32.dll |
Static PE information: section name: YGLGIE |
Source: iepdf32.dll |
Static PE information: section name: GTBYPK |
Source: iepdf32.dll |
Static PE information: section name: JKOIHB |
Source: iepdf32.dll |
Static PE information: section name: FRYTYA |
Source: C:\Windows\System32\loaddll32.exe |
Memory written: PID: 6188 base: B50005 value: E9 8B 2F 83 76 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Memory written: PID: 6188 base: 77382F90 value: E9 7A D0 7C 89 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 3648 base: 3190005 value: E9 8B 2F 1F 74 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 3648 base: 77382F90 value: E9 7A D0 E0 8B |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 716 base: 2A10005 value: E9 8B 2F 97 74 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 716 base: 77382F90 value: E9 7A D0 68 8B |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 1948 base: 2FD0005 value: E9 8B 2F 3B 74 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 1948 base: 77382F90 value: E9 7A D0 C4 8B |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 6308 base: 2E60005 value: E9 8B 2F 52 74 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: PID: 6308 base: 77382F90 value: E9 7A D0 AD 8B |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CBF94A3 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CA65302 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CA9E3DB |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CAD422A |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6C68E2C4 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6C685169 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6C6D24B9 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CC03C04 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6C734293 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CD5878C |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CC03D35 |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CBFEA1F |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6C6E621F |
Source: C:\Windows\System32\loaddll32.exe |
API/Special instruction interceptor: Address: 6CAAB887 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 |
Jump to behavior |