Windows Analysis Report
ZJGkxGuyIT.dll

Overview

General Information

Sample name: ZJGkxGuyIT.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: 2ebf32f4a6b63b8dad4dac4bddf1cbee.exe
Analysis ID: 1542665
MD5: 2ebf32f4a6b63b8dad4dac4bddf1cbee
SHA1: 8b9f7739a9a64168b50d3bde17c8e8ee1127671c
SHA256: fde4f048bb013ec3caabbe5862dcb8df0f701659bc9ac04e5bb1c5a3eee58b61
Tags: 64exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ZJGkxGuyIT.dll Virustotal: Detection: 10% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: ZJGkxGuyIT.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement, 0_2_00007FFE0E14D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E146D40 memcpy,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush, 0_2_00007FFE0E146D40
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B51B10 NtProtectVirtualMemory,NtCreateSection, 6_2_0000027B70B51B10
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B51BA8 NtCreateSection, 6_2_0000027B70B51BA8
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE701B10 NtProtectVirtualMemory,NtCreateSection, 13_2_000001E0BE701B10
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE701BA8 NtCreateSection, 13_2_000001E0BE701BA8
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE1B10 NtProtectVirtualMemory,NtCreateSection, 15_2_00000224A1FE1B10
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE1BA8 NtCreateSection, 15_2_00000224A1FE1BA8
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A31B10 NtProtectVirtualMemory,NtCreateSection, 17_2_0000026F88A31B10
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A31BA8 NtCreateSection, 17_2_0000026F88A31BA8
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14C870 0_2_00007FFE0E14C870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14F0D0 0_2_00007FFE0E14F0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E146D40 0_2_00007FFE0E146D40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E135E40 0_2_00007FFE0E135E40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14B640 0_2_00007FFE0E14B640
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13D310 0_2_00007FFE0E13D310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13D760 0_2_00007FFE0E13D760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E135770 0_2_00007FFE0E135770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E140B70 0_2_00007FFE0E140B70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14A350 0_2_00007FFE0E14A350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E1347A0 0_2_00007FFE0E1347A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14FFC0 0_2_00007FFE0E14FFC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13FC60 0_2_00007FFE0E13FC60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E137870 0_2_00007FFE0E137870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E15505A 0_2_00007FFE0E15505A
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E137CE0 0_2_00007FFE0E137CE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13D970 0_2_00007FFE0E13D970
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13DD80 0_2_00007FFE0E13DD80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13BD80 0_2_00007FFE0E13BD80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14C870 3_2_00007FFE0E14C870
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14F0D0 3_2_00007FFE0E14F0D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E135E40 3_2_00007FFE0E135E40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14B640 3_2_00007FFE0E14B640
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13D310 3_2_00007FFE0E13D310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13D760 3_2_00007FFE0E13D760
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E135770 3_2_00007FFE0E135770
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E140B70 3_2_00007FFE0E140B70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14A350 3_2_00007FFE0E14A350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E1347A0 3_2_00007FFE0E1347A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14FFC0 3_2_00007FFE0E14FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13FC60 3_2_00007FFE0E13FC60
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E137870 3_2_00007FFE0E137870
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E15505A 3_2_00007FFE0E15505A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E137CE0 3_2_00007FFE0E137CE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13D970 3_2_00007FFE0E13D970
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E146D40 3_2_00007FFE0E146D40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13DD80 3_2_00007FFE0E13DD80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E13BD80 3_2_00007FFE0E13BD80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14C870 4_2_00007FFE0E14C870
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14F0D0 4_2_00007FFE0E14F0D0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E135E40 4_2_00007FFE0E135E40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14B640 4_2_00007FFE0E14B640
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13D310 4_2_00007FFE0E13D310
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13D760 4_2_00007FFE0E13D760
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E135770 4_2_00007FFE0E135770
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E140B70 4_2_00007FFE0E140B70
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14A350 4_2_00007FFE0E14A350
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E1347A0 4_2_00007FFE0E1347A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14FFC0 4_2_00007FFE0E14FFC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13FC60 4_2_00007FFE0E13FC60
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E137870 4_2_00007FFE0E137870
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E15505A 4_2_00007FFE0E15505A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E137CE0 4_2_00007FFE0E137CE0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13D970 4_2_00007FFE0E13D970
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E146D40 4_2_00007FFE0E146D40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13DD80 4_2_00007FFE0E13DD80
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E13BD80 4_2_00007FFE0E13BD80
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B50730 6_2_0000027B70B50730
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B50BAD 6_2_0000027B70B50BAD
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B50AB3 6_2_0000027B70B50AB3
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B50B36 6_2_0000027B70B50B36
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000027B70B50999 6_2_0000027B70B50999
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE700730 13_2_000001E0BE700730
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE700AB3 13_2_000001E0BE700AB3
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE700B36 13_2_000001E0BE700B36
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE700BAD 13_2_000001E0BE700BAD
Source: C:\Windows\System32\rundll32.exe Code function: 13_2_000001E0BE700999 13_2_000001E0BE700999
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE0999 15_2_00000224A1FE0999
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE0B36 15_2_00000224A1FE0B36
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE0AB3 15_2_00000224A1FE0AB3
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE0730 15_2_00000224A1FE0730
Source: C:\Windows\System32\rundll32.exe Code function: 15_2_00000224A1FE0BAD 15_2_00000224A1FE0BAD
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A30730 17_2_0000026F88A30730
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A30B36 17_2_0000026F88A30B36
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A30AB3 17_2_0000026F88A30AB3
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A30999 17_2_0000026F88A30999
Source: C:\Windows\System32\loaddll64.exe Code function: 17_2_0000026F88A30BAD 17_2_0000026F88A30BAD
One or more processes crash
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6720 -s 452
PE file contains more sections than normal
Source: ZJGkxGuyIT.dll Static PE information: Number of sections : 12 > 10
Source: classification engine Classification label: mal60.evad.winDLL@25/9@0/0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 0_2_00007FFE0E14D040
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6772
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6720
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d0677b87-b77c-4db0-83a1-98f8c6085e6c Jump to behavior
Source: ZJGkxGuyIT.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: ZJGkxGuyIT.dll Virustotal: Detection: 10%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6720 -s 452
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6772 -s 400
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ZJGkxGuyIT.dll Static PE information: Image base 0x357620000 > 0x60000000
Source: ZJGkxGuyIT.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000000.00000002.1792371427.000001FFB8B09000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793567365.000001FFB930D000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792792121.000001FFB8F05000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793330361.000001FFB910A000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1793771115.000001FFB9502000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.1792577894.000001FFB8D06000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911803970.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911968562.00000000038CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911605994.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1911359478.00000000032C9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910092977.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1910526205.00000000030CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895201861.00000196F17B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895523151.00000196F1BB4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895033928.00000196F15B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1895364557.00000196F19BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894645590.00000196F11B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1894832789.00000196F13BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786543077.00000234B9309000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787336671.00000234B9D06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786878245.00000234B970F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787187145.00000234B9B0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1787018729.00000234B990F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1786732122.00000234B9508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1843129716.000002542840F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842592948.0000025428008000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842829424.000002542820D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1841796861.0000025427A07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1842228317.0000025427E0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement, 0_2_00007FFE0E14D520
PE file contains sections with non-standard names
Source: ZJGkxGuyIT.dll Static PE information: section name: .eh_fram
Source: ZJGkxGuyIT.dll Static PE information: section name: .xdata
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\ZJGkxGuyIT.dll
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E13C670 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FFE0E13C670
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 0_2_00007FFE0E14D040
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.1 %
Source: C:\Windows\System32\rundll32.exe API coverage: 9.0 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 0_2_00007FFE0E14D040
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 0_2_00007FFE0E14D040
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D520 HeapCreate,VirtualProtect,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,Sleep,memcpy,CoInitialize,SafeArrayCreate,SafeArrayPutElement, 0_2_00007FFE0E14D520
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14C870 CreateFileA,GetFileSize,ReadFile,strcmp,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap, 0_2_00007FFE0E14C870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 0_2_00007FFE0E14D040
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 3_2_00007FFE0E14D040
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00007FFE0E14D040 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll, 4_2_00007FFE0E14D040

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\System32\loaddll64.exe NtAllocateVirtualMemory: Indirect: 0x7FFE0E14D9BE Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtProtectVirtualMemory: Indirect: 0x7FFE0E146E1A Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtProtectVirtualMemory: Indirect: 0x7FFE0E14DB26 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtWriteVirtualMemory: Indirect: 0x7FFE0E146E3E Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtWriteVirtualMemory: Indirect: 0x7FFE0E14DAF1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe NtProtectVirtualMemory: Indirect: 0x7FFE0E146E90 Jump to behavior
Hijacks the control flow in another process
Source: C:\Windows\System32\loaddll64.exe Memory written: PID: 5804 base: 26F88A30000 value: E9 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: PID: 6976 base: 27B70B50000 value: E9 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: PID: 6220 base: 1E0BE700000 value: E9 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory written: PID: 6296 base: 224A1FE0000 value: E9 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\loaddll64.exe C:\Windows\system32\loaddll64.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll 6296 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ZJGkxGuyIT.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllInstall 2580 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllRegisterServer 6976 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\C:\Users\user\Desktop\ZJGkxGuyIT.dll,DllUnregisterServer 6220 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFE0E14F0D0 RtlGetVersion,GetTickCount,memcpy,exit,exit, 0_2_00007FFE0E14F0D0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\rundll32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\rundll32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542665 Sample: ZJGkxGuyIT.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 AI detected suspicious sample 2->36 8 loaddll64.exe 1 2->8         started        process3 signatures4 38 Hijacks the control flow in another process 8->38 40 Found direct / indirect Syscall (likely to bypass EDR) 8->40 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 process5 signatures6 42 Hijacks the control flow in another process 11->42 20 conhost.exe 11->20         started        22 rundll32.exe 11->22         started        24 rundll32.exe 14->24         started        26 rundll32.exe 16->26         started        28 rundll32.exe 18->28         started        30 WerFault.exe 20 16 18->30         started        process7 process8 32 WerFault.exe 20 18 28->32         started       
No contacted IP infos