Windows Analysis Report X5C9EzCB7A

Overview

General Information

Sample Name:	X5C9EzCB7A (renamed file extension from none to dll)
Analysis ID:	492086
MD5:	dc4fca98a02c5cc7ee5f565c56915c86
SHA1:	4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256:	ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

DLL side loading technique detected

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Uses Atom Bombing / ProGate to inject into other processes

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: X5C9EzCB7A.dll	Virustotal: Detection: 64%	Perma Link
Source: X5C9EzCB7A.dll	Metadefender: Detection: 57%	Perma Link
Source: X5C9EzCB7A.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: X5C9EzCB7A.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\8FwY\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\M5A\wer.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: X5C9EzCB7A.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8FwY\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\M5A\wer.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBF5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree,	34_2_00007FF7D5CBF5C8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBF500 CryptProtectData,GetLastError,RegSetValueExW,	34_2_00007FF7D5CBF500
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,	40_2_00007FF6EE1F8780

Source: X5C9EzCB7A.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	31_2_00007FF740981BA0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	31_2_00007FF74097BE54
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,	34_2_00007FF7D5C871B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,	34_2_00007FF7D5CA30D8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,	34_2_00007FF7D5C7F0AC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,	34_2_00007FF7D5CB89BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,	34_2_00007FF7D5C85B40
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	40_2_00007FF6EE1F8D04

Source: explorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

PE file contains section with special chars

Source: SppExtComObj.Exe.4.dr

Static PE information: section name: ?g_Encry

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007C9D0	0_2_000000014007C9D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140079360	0_2_0000000140079360
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078D3F	0_2_0000000140078D3F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007D5F0	0_2_000000014007D5F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140050E60	0_2_0000000140050E60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140079681	0_2_0000000140079681
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078EBB	0_2_0000000140078EBB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097CFF0	31_2_00007FF74097CFF0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740972F54	31_2_00007FF740972F54
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097E368	31_2_00007FF74097E368
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740977EFC	31_2_00007FF740977EFC
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982438	31_2_00007FF740982438
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740976848	31_2_00007FF740976848
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740980A58	31_2_00007FF740980A58
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7B6C4	34_2_00007FF7D5C7B6C4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB0630	34_2_00007FF7D5CB0630
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C785B0	34_2_00007FF7D5C785B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAF5D0	34_2_00007FF7D5CAF5D0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CC15BC	34_2_00007FF7D5CC15BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB904	34_2_00007FF7D5CBB904
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB18CC	34_2_00007FF7D5CB18CC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9E840	34_2_00007FF7D5C9E840
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9F71C	34_2_00007FF7D5C9F71C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C75738	34_2_00007FF7D5C75738
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73258	34_2_00007FF7D5C73258
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C79250	34_2_00007FF7D5C79250
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBA1B0	34_2_00007FF7D5CBA1B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6180	34_2_00007FF7D5CB6180
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB54E0	34_2_00007FF7D5CB54E0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7C4F8	34_2_00007FF7D5C7C4F8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAE4C0	34_2_00007FF7D5CAE4C0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9541C	34_2_00007FF7D5C9541C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD2440	34_2_00007FF7D5CD2440
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB410	34_2_00007FF7D5CBB410
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9B3A8	34_2_00007FF7D5C9B3A8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAA380	34_2_00007FF7D5CAA380
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAD320	34_2_00007FF7D5CAD320
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73A30	34_2_00007FF7D5C73A30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB3E1C	34_2_00007FF7D5CB3E1C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6E50	34_2_00007FF7D5CB6E50
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB0DC	34_2_00007FF7D5CBB0DC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAC060	34_2_00007FF7D5CAC060
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD1F60	34_2_00007FF7D5CD1F60
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C87AF0	34_2_00007FF7D5C87AF0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB8AB0	34_2_00007FF7D5CB8AB0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73A30	34_2_00007FF7D5C73A30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBA9E0	34_2_00007FF7D5CBA9E0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C819D0	34_2_00007FF7D5C819D0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7C974	34_2_00007FF7D5C7C974
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C93940	34_2_00007FF7D5C93940
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C74CD4	34_2_00007FF7D5C74CD4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB5C10	34_2_00007FF7D5CB5C10
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBFC0C	34_2_00007FF7D5CBFC0C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6C00	34_2_00007FF7D5CB6C00
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD2B6C	34_2_00007FF7D5CD2B6C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C90B80	34_2_00007FF7D5C90B80
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAFB30	34_2_00007FF7D5CAFB30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAAB1C	34_2_00007FF7D5CAAB1C
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1FA0FC	40_2_00007FF6EE1FA0FC
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F3D88	40_2_00007FF6EE1F3D88
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F5EA4	40_2_00007FF6EE1F5EA4
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8780	40_2_00007FF6EE1F8780
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F9910	40_2_00007FF6EE1F9910
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F356C	40_2_00007FF6EE1F356C
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F23F0	40_2_00007FF6EE1F23F0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: String function: 00007FF7D5C738C8 appears 261 times
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: String function: 00007FF6EE1F9520 appears 162 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe

Code function: 40_2_00007FF6EE1F3A2C memset,GetSystemDirectoryW,wcsrchr,memset,CreateProcessAsUserW,GetLastError,WaitForSingleObject,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,CloseHandle,CloseHandle,LocalFree,

40_2_00007FF6EE1F3A2C

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BFF0 NtDuplicateObject,	0_2_000000014003BFF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220 NtReadVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025280 NtDuplicateObject,	0_2_0000000140025280
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0 NtDuplicateObject,NtQueueApcThread,	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	0_2_0000000140025330
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	0_2_000000014003BC10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004E440 NtDelayExecution,	0_2_000000014004E440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003C560 NtDuplicateObject,NtClose,	0_2_000000014003C560
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039F50 NtReadVirtualMemory,	0_2_0000000140039F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BF70 NtDuplicateObject,NtClose,	0_2_000000014003BF70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AF90 NtQueueApcThread,	0_2_000000014003AF90
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740978404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	31_2_00007FF740978404
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981F54 NtQueryLicenseValue,	31_2_00007FF740981F54
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,	31_2_00007FF74097E368
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF7409782EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	31_2_00007FF7409782EC
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,	31_2_00007FF740982438

PE file contains strange resources

Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: ACTIVEDS.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: WTSAPI32.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: DUI70.dll0.4.dr	Static PE information: Number of sections : 43 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 43 > 10
Source: wer.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: WINMM.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: X5C9EzCB7A.dll	Static PE information: Number of sections : 42 > 10
Source: dpx.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: MFC42u.dll.4.dr	Static PE information: Number of sections : 43 > 10

Source: X5C9EzCB7A.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: X5C9EzCB7A.dll	Virustotal: Detection: 64%
Source: X5C9EzCB7A.dll	Metadefender: Detection: 57%
Source: X5C9EzCB7A.dll	ReversingLabs: Detection: 75%

Source: X5C9EzCB7A.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe

Code function: 40_2_00007FF6EE1F5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,

40_2_00007FF6EE1F5438

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@91/45@0/0

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740978F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,

31_2_00007FF740978F2C

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,

31_2_00007FF74097DE98

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C9541C SendDlgItemMessageW,memset,memset,LoadStringW,FormatMessageW,SetDlgItemTextW,GetLastError,GetLastError,PeekMessageW,TranslateMessage,DispatchMessageW,#5065,#5065,PeekMessageW,

34_2_00007FF7D5C9541C

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

0_2_000000014003C240

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{f4c92513-81b4-e2bc-e5ad-0bbbd5f6a12c}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3baca1ad-f576-2ca5-ab39-dd9076560d1e}

Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box

Source: X5C9EzCB7A.dll

Static PE information: More than 149 > 100 exports found

Source: X5C9EzCB7A.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: X5C9EzCB7A.dll

Static file information: File size 2117632 > 1048576

Source: X5C9EzCB7A.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140056A4D push rdi; ret	0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE201964 push rbx; iretd	40_2_00007FF6EE201965
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE2015F8 push rbx; retf	40_2_00007FF6EE2015F9

PE file contains sections with non-standard names

Source: X5C9EzCB7A.dll	Static PE information: section name: .qkm
Source: X5C9EzCB7A.dll	Static PE information: section name: .cvjb
Source: X5C9EzCB7A.dll	Static PE information: section name: .tlmkv
Source: X5C9EzCB7A.dll	Static PE information: section name: .wucsxe
Source: X5C9EzCB7A.dll	Static PE information: section name: .fltwtj
Source: X5C9EzCB7A.dll	Static PE information: section name: .sfplio
Source: X5C9EzCB7A.dll	Static PE information: section name: .rpg
Source: X5C9EzCB7A.dll	Static PE information: section name: .bewzc
Source: X5C9EzCB7A.dll	Static PE information: section name: .vksvaw
Source: X5C9EzCB7A.dll	Static PE information: section name: .wmhg
Source: X5C9EzCB7A.dll	Static PE information: section name: .kswemc
Source: X5C9EzCB7A.dll	Static PE information: section name: .kaxfk
Source: X5C9EzCB7A.dll	Static PE information: section name: .pjf
Source: X5C9EzCB7A.dll	Static PE information: section name: .favk
Source: X5C9EzCB7A.dll	Static PE information: section name: .vhtukj
Source: X5C9EzCB7A.dll	Static PE information: section name: .hmbyox
Source: X5C9EzCB7A.dll	Static PE information: section name: .txms
Source: X5C9EzCB7A.dll	Static PE information: section name: .vqqm
Source: X5C9EzCB7A.dll	Static PE information: section name: .cbwb
Source: X5C9EzCB7A.dll	Static PE information: section name: .cti
Source: X5C9EzCB7A.dll	Static PE information: section name: .ktfjac
Source: X5C9EzCB7A.dll	Static PE information: section name: .hvmici
Source: X5C9EzCB7A.dll	Static PE information: section name: .bvyyd
Source: X5C9EzCB7A.dll	Static PE information: section name: .qhjn
Source: X5C9EzCB7A.dll	Static PE information: section name: .bsvkca
Source: X5C9EzCB7A.dll	Static PE information: section name: .nvpgx
Source: X5C9EzCB7A.dll	Static PE information: section name: .yaa
Source: X5C9EzCB7A.dll	Static PE information: section name: .qsimby
Source: X5C9EzCB7A.dll	Static PE information: section name: .dibg
Source: X5C9EzCB7A.dll	Static PE information: section name: .odxfk
Source: X5C9EzCB7A.dll	Static PE information: section name: .zczpdd
Source: X5C9EzCB7A.dll	Static PE information: section name: .iceycz
Source: X5C9EzCB7A.dll	Static PE information: section name: .lwp
Source: X5C9EzCB7A.dll	Static PE information: section name: .ejt
Source: X5C9EzCB7A.dll	Static PE information: section name: .gzpi
Source: X5C9EzCB7A.dll	Static PE information: section name: .oima
Source: wermgr.exe.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe.4.dr	Static PE information: section name: .didat
Source: WFS.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: wlrmdr.exe.4.dr	Static PE information: section name: .imrsiv
Source: ProximityUxHost.exe.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe0.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe0.4.dr	Static PE information: section name: .didat
Source: LicensingUI.exe.4.dr	Static PE information: section name: .imrsiv
Source: wer.dll.4.dr	Static PE information: section name: .qkm
Source: wer.dll.4.dr	Static PE information: section name: .cvjb
Source: wer.dll.4.dr	Static PE information: section name: .tlmkv
Source: wer.dll.4.dr	Static PE information: section name: .wucsxe
Source: wer.dll.4.dr	Static PE information: section name: .fltwtj
Source: wer.dll.4.dr	Static PE information: section name: .sfplio
Source: wer.dll.4.dr	Static PE information: section name: .rpg
Source: wer.dll.4.dr	Static PE information: section name: .bewzc
Source: wer.dll.4.dr	Static PE information: section name: .vksvaw
Source: wer.dll.4.dr	Static PE information: section name: .wmhg
Source: wer.dll.4.dr	Static PE information: section name: .kswemc
Source: wer.dll.4.dr	Static PE information: section name: .kaxfk
Source: wer.dll.4.dr	Static PE information: section name: .pjf
Source: wer.dll.4.dr	Static PE information: section name: .favk
Source: wer.dll.4.dr	Static PE information: section name: .vhtukj
Source: wer.dll.4.dr	Static PE information: section name: .hmbyox
Source: wer.dll.4.dr	Static PE information: section name: .txms
Source: wer.dll.4.dr	Static PE information: section name: .vqqm
Source: wer.dll.4.dr	Static PE information: section name: .cbwb
Source: wer.dll.4.dr	Static PE information: section name: .cti
Source: wer.dll.4.dr	Static PE information: section name: .ktfjac
Source: wer.dll.4.dr	Static PE information: section name: .hvmici
Source: wer.dll.4.dr	Static PE information: section name: .bvyyd
Source: wer.dll.4.dr	Static PE information: section name: .qhjn
Source: wer.dll.4.dr	Static PE information: section name: .bsvkca
Source: wer.dll.4.dr	Static PE information: section name: .nvpgx
Source: wer.dll.4.dr	Static PE information: section name: .yaa
Source: wer.dll.4.dr	Static PE information: section name: .qsimby
Source: wer.dll.4.dr	Static PE information: section name: .dibg
Source: wer.dll.4.dr	Static PE information: section name: .odxfk
Source: wer.dll.4.dr	Static PE information: section name: .zczpdd
Source: wer.dll.4.dr	Static PE information: section name: .iceycz
Source: wer.dll.4.dr	Static PE information: section name: .lwp
Source: wer.dll.4.dr	Static PE information: section name: .ejt
Source: wer.dll.4.dr	Static PE information: section name: .gzpi
Source: wer.dll.4.dr	Static PE information: section name: .oima
Source: wer.dll.4.dr	Static PE information: section name: .akm
Source: WINMM.dll.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll.4.dr	Static PE information: section name: .favk
Source: WINMM.dll.4.dr	Static PE information: section name: .vhtukj
Source: WINMM.dll.4.dr	Static PE information: section name: .hmbyox
Source: WINMM.dll.4.dr	Static PE information: section name: .txms
Source: WINMM.dll.4.dr	Static PE information: section name: .vqqm
Source: WINMM.dll.4.dr	Static PE information: section name: .cbwb
Source: WINMM.dll.4.dr	Static PE information: section name: .cti
Source: WINMM.dll.4.dr	Static PE information: section name: .ktfjac
Source: WINMM.dll.4.dr	Static PE information: section name: .hvmici
Source: WINMM.dll.4.dr	Static PE information: section name: .bvyyd
Source: WINMM.dll.4.dr	Static PE information: section name: .qhjn
Source: WINMM.dll.4.dr	Static PE information: section name: .bsvkca
Source: WINMM.dll.4.dr	Static PE information: section name: .nvpgx
Source: WINMM.dll.4.dr	Static PE information: section name: .yaa
Source: WINMM.dll.4.dr	Static PE information: section name: .qsimby
Source: WINMM.dll.4.dr	Static PE information: section name: .dibg
Source: WINMM.dll.4.dr	Static PE information: section name: .odxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .zczpdd
Source: WINMM.dll.4.dr	Static PE information: section name: .iceycz
Source: WINMM.dll.4.dr	Static PE information: section name: .lwp
Source: WINMM.dll.4.dr	Static PE information: section name: .ejt
Source: WINMM.dll.4.dr	Static PE information: section name: .gzpi
Source: WINMM.dll.4.dr	Static PE information: section name: .oima
Source: WINMM.dll.4.dr	Static PE information: section name: .saaaq
Source: dpx.dll.4.dr	Static PE information: section name: .qkm
Source: dpx.dll.4.dr	Static PE information: section name: .cvjb
Source: dpx.dll.4.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.4.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.4.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.4.dr	Static PE information: section name: .sfplio
Source: dpx.dll.4.dr	Static PE information: section name: .rpg
Source: dpx.dll.4.dr	Static PE information: section name: .bewzc
Source: dpx.dll.4.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.4.dr	Static PE information: section name: .wmhg
Source: dpx.dll.4.dr	Static PE information: section name: .kswemc
Source: dpx.dll.4.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.4.dr	Static PE information: section name: .pjf
Source: dpx.dll.4.dr	Static PE information: section name: .favk
Source: dpx.dll.4.dr	Static PE information: section name: .vhtukj
Source: dpx.dll.4.dr	Static PE information: section name: .hmbyox
Source: dpx.dll.4.dr	Static PE information: section name: .txms
Source: dpx.dll.4.dr	Static PE information: section name: .vqqm
Source: dpx.dll.4.dr	Static PE information: section name: .cbwb
Source: dpx.dll.4.dr	Static PE information: section name: .cti
Source: dpx.dll.4.dr	Static PE information: section name: .ktfjac
Source: dpx.dll.4.dr	Static PE information: section name: .hvmici
Source: dpx.dll.4.dr	Static PE information: section name: .bvyyd
Source: dpx.dll.4.dr	Static PE information: section name: .qhjn
Source: dpx.dll.4.dr	Static PE information: section name: .bsvkca
Source: dpx.dll.4.dr	Static PE information: section name: .nvpgx
Source: dpx.dll.4.dr	Static PE information: section name: .yaa
Source: dpx.dll.4.dr	Static PE information: section name: .qsimby
Source: dpx.dll.4.dr	Static PE information: section name: .dibg
Source: dpx.dll.4.dr	Static PE information: section name: .odxfk
Source: dpx.dll.4.dr	Static PE information: section name: .zczpdd
Source: dpx.dll.4.dr	Static PE information: section name: .iceycz
Source: dpx.dll.4.dr	Static PE information: section name: .lwp
Source: dpx.dll.4.dr	Static PE information: section name: .ejt
Source: dpx.dll.4.dr	Static PE information: section name: .gzpi
Source: dpx.dll.4.dr	Static PE information: section name: .oima
Source: dpx.dll.4.dr	Static PE information: section name: .hmoki
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .pjf
Source: UxTheme.dll.4.dr	Static PE information: section name: .favk
Source: UxTheme.dll.4.dr	Static PE information: section name: .vhtukj
Source: UxTheme.dll.4.dr	Static PE information: section name: .hmbyox
Source: UxTheme.dll.4.dr	Static PE information: section name: .txms
Source: UxTheme.dll.4.dr	Static PE information: section name: .vqqm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cbwb
Source: UxTheme.dll.4.dr	Static PE information: section name: .cti
Source: UxTheme.dll.4.dr	Static PE information: section name: .ktfjac
Source: UxTheme.dll.4.dr	Static PE information: section name: .hvmici
Source: UxTheme.dll.4.dr	Static PE information: section name: .bvyyd
Source: UxTheme.dll.4.dr	Static PE information: section name: .qhjn
Source: UxTheme.dll.4.dr	Static PE information: section name: .bsvkca
Source: UxTheme.dll.4.dr	Static PE information: section name: .nvpgx
Source: UxTheme.dll.4.dr	Static PE information: section name: .yaa
Source: UxTheme.dll.4.dr	Static PE information: section name: .qsimby
Source: UxTheme.dll.4.dr	Static PE information: section name: .dibg
Source: UxTheme.dll.4.dr	Static PE information: section name: .odxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .zczpdd
Source: UxTheme.dll.4.dr	Static PE information: section name: .iceycz
Source: UxTheme.dll.4.dr	Static PE information: section name: .lwp
Source: UxTheme.dll.4.dr	Static PE information: section name: .ejt
Source: UxTheme.dll.4.dr	Static PE information: section name: .gzpi
Source: UxTheme.dll.4.dr	Static PE information: section name: .oima
Source: UxTheme.dll.4.dr	Static PE information: section name: .sbt
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll.4.dr	Static PE information: section name: .favk
Source: DUI70.dll.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll.4.dr	Static PE information: section name: .txms
Source: DUI70.dll.4.dr	Static PE information: section name: .vqqm
Source: DUI70.dll.4.dr	Static PE information: section name: .cbwb
Source: DUI70.dll.4.dr	Static PE information: section name: .cti
Source: DUI70.dll.4.dr	Static PE information: section name: .ktfjac
Source: DUI70.dll.4.dr	Static PE information: section name: .hvmici
Source: DUI70.dll.4.dr	Static PE information: section name: .bvyyd
Source: DUI70.dll.4.dr	Static PE information: section name: .qhjn
Source: DUI70.dll.4.dr	Static PE information: section name: .bsvkca
Source: DUI70.dll.4.dr	Static PE information: section name: .nvpgx
Source: DUI70.dll.4.dr	Static PE information: section name: .yaa
Source: DUI70.dll.4.dr	Static PE information: section name: .qsimby
Source: DUI70.dll.4.dr	Static PE information: section name: .dibg
Source: DUI70.dll.4.dr	Static PE information: section name: .odxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .zczpdd
Source: DUI70.dll.4.dr	Static PE information: section name: .iceycz
Source: DUI70.dll.4.dr	Static PE information: section name: .lwp
Source: DUI70.dll.4.dr	Static PE information: section name: .ejt
Source: DUI70.dll.4.dr	Static PE information: section name: .gzpi
Source: DUI70.dll.4.dr	Static PE information: section name: .oima
Source: DUI70.dll.4.dr	Static PE information: section name: .iokrmu
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .favk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vhtukj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .hmbyox
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .txms
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqqm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cbwb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cti
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ktfjac
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .hvmici
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bvyyd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qhjn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bsvkca
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nvpgx
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .yaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qsimby
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dibg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .odxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zczpdd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .iceycz
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lwp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ejt
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .gzpi
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .oima
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bxvwc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .pjf
Source: UxTheme.dll0.4.dr	Static PE information: section name: .favk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vhtukj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hmbyox
Source: UxTheme.dll0.4.dr	Static PE information: section name: .txms
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vqqm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cbwb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cti
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ktfjac
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hvmici
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bvyyd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qhjn
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bsvkca
Source: UxTheme.dll0.4.dr	Static PE information: section name: .nvpgx
Source: UxTheme.dll0.4.dr	Static PE information: section name: .yaa
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qsimby
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dibg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .odxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zczpdd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .iceycz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .lwp
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ejt
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gzpi
Source: UxTheme.dll0.4.dr	Static PE information: section name: .oima
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll0.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll0.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll0.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll0.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll0.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll0.4.dr	Static PE information: section name: .favk
Source: DUI70.dll0.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll0.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll0.4.dr	Static PE information: section name: .txms
Source: DUI70.dll0.4.dr	Static PE information: section name: .vqqm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cbwb
Source: DUI70.dll0.4.dr	Static PE information: section name: .cti
Source: DUI70.dll0.4.dr	Static PE information: section name: .ktfjac
Source: DUI70.dll0.4.dr	Static PE information: section name: .hvmici
Source: DUI70.dll0.4.dr	Static PE information: section name: .bvyyd
Source: DUI70.dll0.4.dr	Static PE information: section name: .qhjn
Source: DUI70.dll0.4.dr	Static PE information: section name: .bsvkca
Source: DUI70.dll0.4.dr	Static PE information: section name: .nvpgx
Source: DUI70.dll0.4.dr	Static PE information: section name: .yaa
Source: DUI70.dll0.4.dr	Static PE information: section name: .qsimby
Source: DUI70.dll0.4.dr	Static PE information: section name: .dibg
Source: DUI70.dll0.4.dr	Static PE information: section name: .odxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .zczpdd
Source: DUI70.dll0.4.dr	Static PE information: section name: .iceycz
Source: DUI70.dll0.4.dr	Static PE information: section name: .lwp
Source: DUI70.dll0.4.dr	Static PE information: section name: .ejt
Source: DUI70.dll0.4.dr	Static PE information: section name: .gzpi
Source: DUI70.dll0.4.dr	Static PE information: section name: .oima
Source: DUI70.dll0.4.dr	Static PE information: section name: .cltwqt
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.4.dr	Static PE information: section name: .favk
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhtukj
Source: XmlLite.dll.4.dr	Static PE information: section name: .hmbyox
Source: XmlLite.dll.4.dr	Static PE information: section name: .txms
Source: XmlLite.dll.4.dr	Static PE information: section name: .vqqm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cbwb
Source: XmlLite.dll.4.dr	Static PE information: section name: .cti
Source: XmlLite.dll.4.dr	Static PE information: section name: .ktfjac
Source: XmlLite.dll.4.dr	Static PE information: section name: .hvmici
Source: XmlLite.dll.4.dr	Static PE information: section name: .bvyyd
Source: XmlLite.dll.4.dr	Static PE information: section name: .qhjn
Source: XmlLite.dll.4.dr	Static PE information: section name: .bsvkca
Source: XmlLite.dll.4.dr	Static PE information: section name: .nvpgx
Source: XmlLite.dll.4.dr	Static PE information: section name: .yaa
Source: XmlLite.dll.4.dr	Static PE information: section name: .qsimby
Source: XmlLite.dll.4.dr	Static PE information: section name: .dibg
Source: XmlLite.dll.4.dr	Static PE information: section name: .odxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .zczpdd
Source: XmlLite.dll.4.dr	Static PE information: section name: .iceycz
Source: XmlLite.dll.4.dr	Static PE information: section name: .lwp
Source: XmlLite.dll.4.dr	Static PE information: section name: .ejt
Source: XmlLite.dll.4.dr	Static PE information: section name: .gzpi
Source: XmlLite.dll.4.dr	Static PE information: section name: .oima
Source: XmlLite.dll.4.dr	Static PE information: section name: .yhjpr
Source: MFC42u.dll.4.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.4.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.4.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.4.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.4.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.4.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.4.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.4.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.4.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.4.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.4.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.4.dr	Static PE information: section name: .favk
Source: MFC42u.dll.4.dr	Static PE information: section name: .vhtukj
Source: MFC42u.dll.4.dr	Static PE information: section name: .hmbyox
Source: MFC42u.dll.4.dr	Static PE information: section name: .txms
Source: MFC42u.dll.4.dr	Static PE information: section name: .vqqm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cbwb
Source: MFC42u.dll.4.dr	Static PE information: section name: .cti
Source: MFC42u.dll.4.dr	Static PE information: section name: .ktfjac
Source: MFC42u.dll.4.dr	Static PE information: section name: .hvmici
Source: MFC42u.dll.4.dr	Static PE information: section name: .bvyyd
Source: MFC42u.dll.4.dr	Static PE information: section name: .qhjn
Source: MFC42u.dll.4.dr	Static PE information: section name: .bsvkca
Source: MFC42u.dll.4.dr	Static PE information: section name: .nvpgx
Source: MFC42u.dll.4.dr	Static PE information: section name: .yaa
Source: MFC42u.dll.4.dr	Static PE information: section name: .qsimby
Source: MFC42u.dll.4.dr	Static PE information: section name: .dibg
Source: MFC42u.dll.4.dr	Static PE information: section name: .odxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .zczpdd
Source: MFC42u.dll.4.dr	Static PE information: section name: .iceycz
Source: MFC42u.dll.4.dr	Static PE information: section name: .lwp
Source: MFC42u.dll.4.dr	Static PE information: section name: .ejt
Source: MFC42u.dll.4.dr	Static PE information: section name: .gzpi
Source: MFC42u.dll.4.dr	Static PE information: section name: .oima
Source: MFC42u.dll.4.dr	Static PE information: section name: .hpnemo
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .favk
Source: VERSION.dll.4.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll.4.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll.4.dr	Static PE information: section name: .txms
Source: VERSION.dll.4.dr	Static PE information: section name: .vqqm
Source: VERSION.dll.4.dr	Static PE information: section name: .cbwb
Source: VERSION.dll.4.dr	Static PE information: section name: .cti
Source: VERSION.dll.4.dr	Static PE information: section name: .ktfjac
Source: VERSION.dll.4.dr	Static PE information: section name: .hvmici
Source: VERSION.dll.4.dr	Static PE information: section name: .bvyyd
Source: VERSION.dll.4.dr	Static PE information: section name: .qhjn
Source: VERSION.dll.4.dr	Static PE information: section name: .bsvkca
Source: VERSION.dll.4.dr	Static PE information: section name: .nvpgx
Source: VERSION.dll.4.dr	Static PE information: section name: .yaa
Source: VERSION.dll.4.dr	Static PE information: section name: .qsimby
Source: VERSION.dll.4.dr	Static PE information: section name: .dibg
Source: VERSION.dll.4.dr	Static PE information: section name: .odxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .zczpdd
Source: VERSION.dll.4.dr	Static PE information: section name: .iceycz
Source: VERSION.dll.4.dr	Static PE information: section name: .lwp
Source: VERSION.dll.4.dr	Static PE information: section name: .ejt
Source: VERSION.dll.4.dr	Static PE information: section name: .gzpi
Source: VERSION.dll.4.dr	Static PE information: section name: .oima
Source: VERSION.dll.4.dr	Static PE information: section name: .wgfpbw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qkm
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .rpg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .pjf
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .favk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vhtukj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .hmbyox
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .txms
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vqqm
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cbwb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cti
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ktfjac
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .hvmici
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bvyyd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qhjn
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bsvkca
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .nvpgx
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .yaa
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qsimby
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .dibg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .odxfk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .zczpdd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .iceycz
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .lwp
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ejt
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .gzpi
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .oima
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ajokiy
Source: SppExtComObj.Exe.4.dr	Static PE information: section name: ?g_Encry

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,

34_2_00007FF7D5C84858

PE file contains an invalid checksum

Source: ACTIVEDS.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2158d9
Source: WTSAPI32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20a536
Source: DUI70.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x256371
Source: UxTheme.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x207aff
Source: wer.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2121a1
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20c257
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21343c
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x256c7c
Source: WINMM.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2111d5
Source: X5C9EzCB7A.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x207a12
Source: dpx.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20f2f8
Source: UxTheme.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20c755
Source: MFC42u.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21abc9

Binary contains a suspicious time stamp

Source: wermgr.exe.4.dr

Static PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.59477523886

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp

Memory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\0Nty\recdisc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2vl\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\gxzS7\credui.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nom\mblctr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\8FwY\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Bun\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\LnjKLu\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Mnd\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\h1G\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\gxzS7\perfmon.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iU8z5\wermgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\byYs\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\B8nn\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iU8z5\wer.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\byYs\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M5A\wer.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M5A\wermgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2vl\LicensingUI.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C74CD4 FindWindowW,#2906,SetForegroundWindow,SendMessageW,GetCommandLineW,memset,IsWindowVisible,#4124,GetLastError,SetForegroundWindow,SendMessageW,#6610,GetLastError,#6632,IsWindowVisible,PostMessageW,GetLastActivePopup,#2906,IsIconic,#6632,SetForegroundWindow,PostMessageW,PostMessageW,PostMessageW,

34_2_00007FF7D5C74CD4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 5420

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\recdisc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Nom\mblctr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gxzS7\perfmon.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\LicensingUI.exe	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF740977CE0h

31_2_00007FF740977BC4

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	31_2_00007FF740981BA0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	31_2_00007FF74097BE54
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,	34_2_00007FF7D5C871B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,	34_2_00007FF7D5CA30D8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,	34_2_00007FF7D5C7F0AC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,	34_2_00007FF7D5CB89BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,	34_2_00007FF7D5C85B40
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	40_2_00007FF6EE1F8D04

Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.265986163.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.268458783.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000004.00000000.298268024.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF7409749DC GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

31_2_00007FF7409749DC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,

34_2_00007FF7D5C84858

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740976BC0 WaitForSingleObjectEx,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,

31_2_00007FF740976BC0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740983140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF740983140
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982B00 SetUnhandledExceptionFilter,	31_2_00007FF740982B00
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD48F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF7D5CD48F4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD4CF0 SetUnhandledExceptionFilter,	34_2_00007FF7D5CD4CF0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE206AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00007FF6EE206AA4
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE206830 SetUnhandledExceptionFilter,	40_2_00007FF6EE206830

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wer.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAE1CEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAE1CE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAC2B2A20 protect: page execute and read and write

DLL side loading technique detected

Source: C:\Windows\explorer.exe

Section loaded: C:\Windows\System32\wer.dll

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\loaddll64.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\loaddll64.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5CBD58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle,

34_2_00007FF7D5CBD58C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF74097AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle,

31_2_00007FF74097AE50

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740981750 AllocateAndInitializeSid,CheckTokenMembership,RegOpenKeyExW,RegCloseKey,FreeSid,

31_2_00007FF740981750

Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.263442469.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846,	34_2_00007FF7D5CA5814
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: GetLocaleInfoEx,	34_2_00007FF7D5C7E120
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free,	34_2_00007FF7D5C7DA70
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846,	34_2_00007FF7D5C84934

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey,

31_2_00007FF740977BC4

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C748FC GetVersion,#1441,LoadIconW,GetLastError,#1471,PostMessageW,ShellAboutW,#1471,#337,#626,memset,memset,#1471,PostMessageW,#1471,#1443,#2517,#1040,#852,

34_2_00007FF7D5C748FC

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: X5C9EzCB7A.dll	Virustotal: Detection: 64%	Perma Link
Source: X5C9EzCB7A.dll	Metadefender: Detection: 57%	Perma Link
Source: X5C9EzCB7A.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: X5C9EzCB7A.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\8FwY\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\M5A\wer.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: X5C9EzCB7A.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8FwY\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\M5A\wer.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2vl\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBF5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree,	34_2_00007FF7D5CBF5C8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBF500 CryptProtectData,GetLastError,RegSetValueExW,	34_2_00007FF7D5CBF500
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,	40_2_00007FF6EE1F8780

Source: X5C9EzCB7A.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	31_2_00007FF740981BA0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	31_2_00007FF74097BE54
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,	34_2_00007FF7D5C871B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,	34_2_00007FF7D5CA30D8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,	34_2_00007FF7D5C7F0AC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,	34_2_00007FF7D5CB89BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,	34_2_00007FF7D5C85B40
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	40_2_00007FF6EE1F8D04

Source: explorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

PE file contains section with special chars

Source: SppExtComObj.Exe.4.dr

Static PE information: section name: ?g_Encry

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007C9D0	0_2_000000014007C9D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140079360	0_2_0000000140079360
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078D3F	0_2_0000000140078D3F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007D5F0	0_2_000000014007D5F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140050E60	0_2_0000000140050E60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140079681	0_2_0000000140079681
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078EBB	0_2_0000000140078EBB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097CFF0	31_2_00007FF74097CFF0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740972F54	31_2_00007FF740972F54
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097E368	31_2_00007FF74097E368
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740977EFC	31_2_00007FF740977EFC
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982438	31_2_00007FF740982438
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740976848	31_2_00007FF740976848
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740980A58	31_2_00007FF740980A58
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7B6C4	34_2_00007FF7D5C7B6C4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB0630	34_2_00007FF7D5CB0630
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C785B0	34_2_00007FF7D5C785B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAF5D0	34_2_00007FF7D5CAF5D0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CC15BC	34_2_00007FF7D5CC15BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB904	34_2_00007FF7D5CBB904
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB18CC	34_2_00007FF7D5CB18CC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9E840	34_2_00007FF7D5C9E840
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9F71C	34_2_00007FF7D5C9F71C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C75738	34_2_00007FF7D5C75738
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73258	34_2_00007FF7D5C73258
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C79250	34_2_00007FF7D5C79250
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBA1B0	34_2_00007FF7D5CBA1B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6180	34_2_00007FF7D5CB6180
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB54E0	34_2_00007FF7D5CB54E0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7C4F8	34_2_00007FF7D5C7C4F8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAE4C0	34_2_00007FF7D5CAE4C0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9541C	34_2_00007FF7D5C9541C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD2440	34_2_00007FF7D5CD2440
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB410	34_2_00007FF7D5CBB410
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C9B3A8	34_2_00007FF7D5C9B3A8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAA380	34_2_00007FF7D5CAA380
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAD320	34_2_00007FF7D5CAD320
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73A30	34_2_00007FF7D5C73A30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB3E1C	34_2_00007FF7D5CB3E1C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6E50	34_2_00007FF7D5CB6E50
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBB0DC	34_2_00007FF7D5CBB0DC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAC060	34_2_00007FF7D5CAC060
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD1F60	34_2_00007FF7D5CD1F60
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C87AF0	34_2_00007FF7D5C87AF0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB8AB0	34_2_00007FF7D5CB8AB0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C73A30	34_2_00007FF7D5C73A30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBA9E0	34_2_00007FF7D5CBA9E0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C819D0	34_2_00007FF7D5C819D0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7C974	34_2_00007FF7D5C7C974
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C93940	34_2_00007FF7D5C93940
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C74CD4	34_2_00007FF7D5C74CD4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB5C10	34_2_00007FF7D5CB5C10
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CBFC0C	34_2_00007FF7D5CBFC0C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB6C00	34_2_00007FF7D5CB6C00
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD2B6C	34_2_00007FF7D5CD2B6C
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C90B80	34_2_00007FF7D5C90B80
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAFB30	34_2_00007FF7D5CAFB30
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CAAB1C	34_2_00007FF7D5CAAB1C
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1FA0FC	40_2_00007FF6EE1FA0FC
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F3D88	40_2_00007FF6EE1F3D88
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F5EA4	40_2_00007FF6EE1F5EA4
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8780	40_2_00007FF6EE1F8780
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F9910	40_2_00007FF6EE1F9910
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F356C	40_2_00007FF6EE1F356C
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F23F0	40_2_00007FF6EE1F23F0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: String function: 00007FF7D5C738C8 appears 261 times
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: String function: 00007FF6EE1F9520 appears 162 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe

40_2_00007FF6EE1F3A2C

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BFF0 NtDuplicateObject,	0_2_000000014003BFF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220 NtReadVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025280 NtDuplicateObject,	0_2_0000000140025280
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0 NtDuplicateObject,NtQueueApcThread,	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	0_2_0000000140025330
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	0_2_000000014003BC10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004E440 NtDelayExecution,	0_2_000000014004E440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003C560 NtDuplicateObject,NtClose,	0_2_000000014003C560
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039F50 NtReadVirtualMemory,	0_2_0000000140039F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003BF70 NtDuplicateObject,NtClose,	0_2_000000014003BF70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AF90 NtQueueApcThread,	0_2_000000014003AF90
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740978404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	31_2_00007FF740978404
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981F54 NtQueryLicenseValue,	31_2_00007FF740981F54
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,	31_2_00007FF74097E368
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF7409782EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,	31_2_00007FF7409782EC
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,	31_2_00007FF740982438

PE file contains strange resources

Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: ACTIVEDS.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: WTSAPI32.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: DUI70.dll0.4.dr	Static PE information: Number of sections : 43 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 43 > 10
Source: wer.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: WINMM.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: X5C9EzCB7A.dll	Static PE information: Number of sections : 42 > 10
Source: dpx.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 43 > 10
Source: MFC42u.dll.4.dr	Static PE information: Number of sections : 43 > 10

Source: X5C9EzCB7A.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: X5C9EzCB7A.dll	Virustotal: Detection: 64%
Source: X5C9EzCB7A.dll	Metadefender: Detection: 57%
Source: X5C9EzCB7A.dll	ReversingLabs: Detection: 75%

Source: X5C9EzCB7A.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe

Code function: 40_2_00007FF6EE1F5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,

40_2_00007FF6EE1F5438

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@91/45@0/0

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740978F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,

31_2_00007FF740978F2C

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

31_2_00007FF74097DE98

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

34_2_00007FF7D5C9541C

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

0_2_000000014003C240

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler

Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{f4c92513-81b4-e2bc-e5ad-0bbbd5f6a12c}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3baca1ad-f576-2ca5-ab39-dd9076560d1e}

Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box

Source: X5C9EzCB7A.dll

Static PE information: More than 149 > 100 exports found

Source: X5C9EzCB7A.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: X5C9EzCB7A.dll

Static file information: File size 2117632 > 1048576

Source: X5C9EzCB7A.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
Source:	Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
Source:	Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140056A4D push rdi; ret	0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE201964 push rbx; iretd	40_2_00007FF6EE201965
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE2015F8 push rbx; retf	40_2_00007FF6EE2015F9

PE file contains sections with non-standard names

Source: X5C9EzCB7A.dll	Static PE information: section name: .qkm
Source: X5C9EzCB7A.dll	Static PE information: section name: .cvjb
Source: X5C9EzCB7A.dll	Static PE information: section name: .tlmkv
Source: X5C9EzCB7A.dll	Static PE information: section name: .wucsxe
Source: X5C9EzCB7A.dll	Static PE information: section name: .fltwtj
Source: X5C9EzCB7A.dll	Static PE information: section name: .sfplio
Source: X5C9EzCB7A.dll	Static PE information: section name: .rpg
Source: X5C9EzCB7A.dll	Static PE information: section name: .bewzc
Source: X5C9EzCB7A.dll	Static PE information: section name: .vksvaw
Source: X5C9EzCB7A.dll	Static PE information: section name: .wmhg
Source: X5C9EzCB7A.dll	Static PE information: section name: .kswemc
Source: X5C9EzCB7A.dll	Static PE information: section name: .kaxfk
Source: X5C9EzCB7A.dll	Static PE information: section name: .pjf
Source: X5C9EzCB7A.dll	Static PE information: section name: .favk
Source: X5C9EzCB7A.dll	Static PE information: section name: .vhtukj
Source: X5C9EzCB7A.dll	Static PE information: section name: .hmbyox
Source: X5C9EzCB7A.dll	Static PE information: section name: .txms
Source: X5C9EzCB7A.dll	Static PE information: section name: .vqqm
Source: X5C9EzCB7A.dll	Static PE information: section name: .cbwb
Source: X5C9EzCB7A.dll	Static PE information: section name: .cti
Source: X5C9EzCB7A.dll	Static PE information: section name: .ktfjac
Source: X5C9EzCB7A.dll	Static PE information: section name: .hvmici
Source: X5C9EzCB7A.dll	Static PE information: section name: .bvyyd
Source: X5C9EzCB7A.dll	Static PE information: section name: .qhjn
Source: X5C9EzCB7A.dll	Static PE information: section name: .bsvkca
Source: X5C9EzCB7A.dll	Static PE information: section name: .nvpgx
Source: X5C9EzCB7A.dll	Static PE information: section name: .yaa
Source: X5C9EzCB7A.dll	Static PE information: section name: .qsimby
Source: X5C9EzCB7A.dll	Static PE information: section name: .dibg
Source: X5C9EzCB7A.dll	Static PE information: section name: .odxfk
Source: X5C9EzCB7A.dll	Static PE information: section name: .zczpdd
Source: X5C9EzCB7A.dll	Static PE information: section name: .iceycz
Source: X5C9EzCB7A.dll	Static PE information: section name: .lwp
Source: X5C9EzCB7A.dll	Static PE information: section name: .ejt
Source: X5C9EzCB7A.dll	Static PE information: section name: .gzpi
Source: X5C9EzCB7A.dll	Static PE information: section name: .oima
Source: wermgr.exe.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe.4.dr	Static PE information: section name: .didat
Source: WFS.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: wlrmdr.exe.4.dr	Static PE information: section name: .imrsiv
Source: ProximityUxHost.exe.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe0.4.dr	Static PE information: section name: .imrsiv
Source: wermgr.exe0.4.dr	Static PE information: section name: .didat
Source: LicensingUI.exe.4.dr	Static PE information: section name: .imrsiv
Source: wer.dll.4.dr	Static PE information: section name: .qkm
Source: wer.dll.4.dr	Static PE information: section name: .cvjb
Source: wer.dll.4.dr	Static PE information: section name: .tlmkv
Source: wer.dll.4.dr	Static PE information: section name: .wucsxe
Source: wer.dll.4.dr	Static PE information: section name: .fltwtj
Source: wer.dll.4.dr	Static PE information: section name: .sfplio
Source: wer.dll.4.dr	Static PE information: section name: .rpg
Source: wer.dll.4.dr	Static PE information: section name: .bewzc
Source: wer.dll.4.dr	Static PE information: section name: .vksvaw
Source: wer.dll.4.dr	Static PE information: section name: .wmhg
Source: wer.dll.4.dr	Static PE information: section name: .kswemc
Source: wer.dll.4.dr	Static PE information: section name: .kaxfk
Source: wer.dll.4.dr	Static PE information: section name: .pjf
Source: wer.dll.4.dr	Static PE information: section name: .favk
Source: wer.dll.4.dr	Static PE information: section name: .vhtukj
Source: wer.dll.4.dr	Static PE information: section name: .hmbyox
Source: wer.dll.4.dr	Static PE information: section name: .txms
Source: wer.dll.4.dr	Static PE information: section name: .vqqm
Source: wer.dll.4.dr	Static PE information: section name: .cbwb
Source: wer.dll.4.dr	Static PE information: section name: .cti
Source: wer.dll.4.dr	Static PE information: section name: .ktfjac
Source: wer.dll.4.dr	Static PE information: section name: .hvmici
Source: wer.dll.4.dr	Static PE information: section name: .bvyyd
Source: wer.dll.4.dr	Static PE information: section name: .qhjn
Source: wer.dll.4.dr	Static PE information: section name: .bsvkca
Source: wer.dll.4.dr	Static PE information: section name: .nvpgx
Source: wer.dll.4.dr	Static PE information: section name: .yaa
Source: wer.dll.4.dr	Static PE information: section name: .qsimby
Source: wer.dll.4.dr	Static PE information: section name: .dibg
Source: wer.dll.4.dr	Static PE information: section name: .odxfk
Source: wer.dll.4.dr	Static PE information: section name: .zczpdd
Source: wer.dll.4.dr	Static PE information: section name: .iceycz
Source: wer.dll.4.dr	Static PE information: section name: .lwp
Source: wer.dll.4.dr	Static PE information: section name: .ejt
Source: wer.dll.4.dr	Static PE information: section name: .gzpi
Source: wer.dll.4.dr	Static PE information: section name: .oima
Source: wer.dll.4.dr	Static PE information: section name: .akm
Source: WINMM.dll.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll.4.dr	Static PE information: section name: .favk
Source: WINMM.dll.4.dr	Static PE information: section name: .vhtukj
Source: WINMM.dll.4.dr	Static PE information: section name: .hmbyox
Source: WINMM.dll.4.dr	Static PE information: section name: .txms
Source: WINMM.dll.4.dr	Static PE information: section name: .vqqm
Source: WINMM.dll.4.dr	Static PE information: section name: .cbwb
Source: WINMM.dll.4.dr	Static PE information: section name: .cti
Source: WINMM.dll.4.dr	Static PE information: section name: .ktfjac
Source: WINMM.dll.4.dr	Static PE information: section name: .hvmici
Source: WINMM.dll.4.dr	Static PE information: section name: .bvyyd
Source: WINMM.dll.4.dr	Static PE information: section name: .qhjn
Source: WINMM.dll.4.dr	Static PE information: section name: .bsvkca
Source: WINMM.dll.4.dr	Static PE information: section name: .nvpgx
Source: WINMM.dll.4.dr	Static PE information: section name: .yaa
Source: WINMM.dll.4.dr	Static PE information: section name: .qsimby
Source: WINMM.dll.4.dr	Static PE information: section name: .dibg
Source: WINMM.dll.4.dr	Static PE information: section name: .odxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .zczpdd
Source: WINMM.dll.4.dr	Static PE information: section name: .iceycz
Source: WINMM.dll.4.dr	Static PE information: section name: .lwp
Source: WINMM.dll.4.dr	Static PE information: section name: .ejt
Source: WINMM.dll.4.dr	Static PE information: section name: .gzpi
Source: WINMM.dll.4.dr	Static PE information: section name: .oima
Source: WINMM.dll.4.dr	Static PE information: section name: .saaaq
Source: dpx.dll.4.dr	Static PE information: section name: .qkm
Source: dpx.dll.4.dr	Static PE information: section name: .cvjb
Source: dpx.dll.4.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.4.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.4.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.4.dr	Static PE information: section name: .sfplio
Source: dpx.dll.4.dr	Static PE information: section name: .rpg
Source: dpx.dll.4.dr	Static PE information: section name: .bewzc
Source: dpx.dll.4.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.4.dr	Static PE information: section name: .wmhg
Source: dpx.dll.4.dr	Static PE information: section name: .kswemc
Source: dpx.dll.4.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.4.dr	Static PE information: section name: .pjf
Source: dpx.dll.4.dr	Static PE information: section name: .favk
Source: dpx.dll.4.dr	Static PE information: section name: .vhtukj
Source: dpx.dll.4.dr	Static PE information: section name: .hmbyox
Source: dpx.dll.4.dr	Static PE information: section name: .txms
Source: dpx.dll.4.dr	Static PE information: section name: .vqqm
Source: dpx.dll.4.dr	Static PE information: section name: .cbwb
Source: dpx.dll.4.dr	Static PE information: section name: .cti
Source: dpx.dll.4.dr	Static PE information: section name: .ktfjac
Source: dpx.dll.4.dr	Static PE information: section name: .hvmici
Source: dpx.dll.4.dr	Static PE information: section name: .bvyyd
Source: dpx.dll.4.dr	Static PE information: section name: .qhjn
Source: dpx.dll.4.dr	Static PE information: section name: .bsvkca
Source: dpx.dll.4.dr	Static PE information: section name: .nvpgx
Source: dpx.dll.4.dr	Static PE information: section name: .yaa
Source: dpx.dll.4.dr	Static PE information: section name: .qsimby
Source: dpx.dll.4.dr	Static PE information: section name: .dibg
Source: dpx.dll.4.dr	Static PE information: section name: .odxfk
Source: dpx.dll.4.dr	Static PE information: section name: .zczpdd
Source: dpx.dll.4.dr	Static PE information: section name: .iceycz
Source: dpx.dll.4.dr	Static PE information: section name: .lwp
Source: dpx.dll.4.dr	Static PE information: section name: .ejt
Source: dpx.dll.4.dr	Static PE information: section name: .gzpi
Source: dpx.dll.4.dr	Static PE information: section name: .oima
Source: dpx.dll.4.dr	Static PE information: section name: .hmoki
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .pjf
Source: UxTheme.dll.4.dr	Static PE information: section name: .favk
Source: UxTheme.dll.4.dr	Static PE information: section name: .vhtukj
Source: UxTheme.dll.4.dr	Static PE information: section name: .hmbyox
Source: UxTheme.dll.4.dr	Static PE information: section name: .txms
Source: UxTheme.dll.4.dr	Static PE information: section name: .vqqm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cbwb
Source: UxTheme.dll.4.dr	Static PE information: section name: .cti
Source: UxTheme.dll.4.dr	Static PE information: section name: .ktfjac
Source: UxTheme.dll.4.dr	Static PE information: section name: .hvmici
Source: UxTheme.dll.4.dr	Static PE information: section name: .bvyyd
Source: UxTheme.dll.4.dr	Static PE information: section name: .qhjn
Source: UxTheme.dll.4.dr	Static PE information: section name: .bsvkca
Source: UxTheme.dll.4.dr	Static PE information: section name: .nvpgx
Source: UxTheme.dll.4.dr	Static PE information: section name: .yaa
Source: UxTheme.dll.4.dr	Static PE information: section name: .qsimby
Source: UxTheme.dll.4.dr	Static PE information: section name: .dibg
Source: UxTheme.dll.4.dr	Static PE information: section name: .odxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .zczpdd
Source: UxTheme.dll.4.dr	Static PE information: section name: .iceycz
Source: UxTheme.dll.4.dr	Static PE information: section name: .lwp
Source: UxTheme.dll.4.dr	Static PE information: section name: .ejt
Source: UxTheme.dll.4.dr	Static PE information: section name: .gzpi
Source: UxTheme.dll.4.dr	Static PE information: section name: .oima
Source: UxTheme.dll.4.dr	Static PE information: section name: .sbt
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll.4.dr	Static PE information: section name: .favk
Source: DUI70.dll.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll.4.dr	Static PE information: section name: .txms
Source: DUI70.dll.4.dr	Static PE information: section name: .vqqm
Source: DUI70.dll.4.dr	Static PE information: section name: .cbwb
Source: DUI70.dll.4.dr	Static PE information: section name: .cti
Source: DUI70.dll.4.dr	Static PE information: section name: .ktfjac
Source: DUI70.dll.4.dr	Static PE information: section name: .hvmici
Source: DUI70.dll.4.dr	Static PE information: section name: .bvyyd
Source: DUI70.dll.4.dr	Static PE information: section name: .qhjn
Source: DUI70.dll.4.dr	Static PE information: section name: .bsvkca
Source: DUI70.dll.4.dr	Static PE information: section name: .nvpgx
Source: DUI70.dll.4.dr	Static PE information: section name: .yaa
Source: DUI70.dll.4.dr	Static PE information: section name: .qsimby
Source: DUI70.dll.4.dr	Static PE information: section name: .dibg
Source: DUI70.dll.4.dr	Static PE information: section name: .odxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .zczpdd
Source: DUI70.dll.4.dr	Static PE information: section name: .iceycz
Source: DUI70.dll.4.dr	Static PE information: section name: .lwp
Source: DUI70.dll.4.dr	Static PE information: section name: .ejt
Source: DUI70.dll.4.dr	Static PE information: section name: .gzpi
Source: DUI70.dll.4.dr	Static PE information: section name: .oima
Source: DUI70.dll.4.dr	Static PE information: section name: .iokrmu
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .favk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vhtukj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .hmbyox
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .txms
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqqm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cbwb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cti
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ktfjac
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .hvmici
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bvyyd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qhjn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bsvkca
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nvpgx
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .yaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qsimby
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dibg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .odxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zczpdd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .iceycz
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lwp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ejt
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .gzpi
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .oima
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bxvwc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .pjf
Source: UxTheme.dll0.4.dr	Static PE information: section name: .favk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vhtukj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hmbyox
Source: UxTheme.dll0.4.dr	Static PE information: section name: .txms
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vqqm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cbwb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cti
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ktfjac
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hvmici
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bvyyd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qhjn
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bsvkca
Source: UxTheme.dll0.4.dr	Static PE information: section name: .nvpgx
Source: UxTheme.dll0.4.dr	Static PE information: section name: .yaa
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qsimby
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dibg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .odxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zczpdd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .iceycz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .lwp
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ejt
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gzpi
Source: UxTheme.dll0.4.dr	Static PE information: section name: .oima
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll0.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll0.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll0.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll0.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll0.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll0.4.dr	Static PE information: section name: .favk
Source: DUI70.dll0.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll0.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll0.4.dr	Static PE information: section name: .txms
Source: DUI70.dll0.4.dr	Static PE information: section name: .vqqm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cbwb
Source: DUI70.dll0.4.dr	Static PE information: section name: .cti
Source: DUI70.dll0.4.dr	Static PE information: section name: .ktfjac
Source: DUI70.dll0.4.dr	Static PE information: section name: .hvmici
Source: DUI70.dll0.4.dr	Static PE information: section name: .bvyyd
Source: DUI70.dll0.4.dr	Static PE information: section name: .qhjn
Source: DUI70.dll0.4.dr	Static PE information: section name: .bsvkca
Source: DUI70.dll0.4.dr	Static PE information: section name: .nvpgx
Source: DUI70.dll0.4.dr	Static PE information: section name: .yaa
Source: DUI70.dll0.4.dr	Static PE information: section name: .qsimby
Source: DUI70.dll0.4.dr	Static PE information: section name: .dibg
Source: DUI70.dll0.4.dr	Static PE information: section name: .odxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .zczpdd
Source: DUI70.dll0.4.dr	Static PE information: section name: .iceycz
Source: DUI70.dll0.4.dr	Static PE information: section name: .lwp
Source: DUI70.dll0.4.dr	Static PE information: section name: .ejt
Source: DUI70.dll0.4.dr	Static PE information: section name: .gzpi
Source: DUI70.dll0.4.dr	Static PE information: section name: .oima
Source: DUI70.dll0.4.dr	Static PE information: section name: .cltwqt
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.4.dr	Static PE information: section name: .favk
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhtukj
Source: XmlLite.dll.4.dr	Static PE information: section name: .hmbyox
Source: XmlLite.dll.4.dr	Static PE information: section name: .txms
Source: XmlLite.dll.4.dr	Static PE information: section name: .vqqm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cbwb
Source: XmlLite.dll.4.dr	Static PE information: section name: .cti
Source: XmlLite.dll.4.dr	Static PE information: section name: .ktfjac
Source: XmlLite.dll.4.dr	Static PE information: section name: .hvmici
Source: XmlLite.dll.4.dr	Static PE information: section name: .bvyyd
Source: XmlLite.dll.4.dr	Static PE information: section name: .qhjn
Source: XmlLite.dll.4.dr	Static PE information: section name: .bsvkca
Source: XmlLite.dll.4.dr	Static PE information: section name: .nvpgx
Source: XmlLite.dll.4.dr	Static PE information: section name: .yaa
Source: XmlLite.dll.4.dr	Static PE information: section name: .qsimby
Source: XmlLite.dll.4.dr	Static PE information: section name: .dibg
Source: XmlLite.dll.4.dr	Static PE information: section name: .odxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .zczpdd
Source: XmlLite.dll.4.dr	Static PE information: section name: .iceycz
Source: XmlLite.dll.4.dr	Static PE information: section name: .lwp
Source: XmlLite.dll.4.dr	Static PE information: section name: .ejt
Source: XmlLite.dll.4.dr	Static PE information: section name: .gzpi
Source: XmlLite.dll.4.dr	Static PE information: section name: .oima
Source: XmlLite.dll.4.dr	Static PE information: section name: .yhjpr
Source: MFC42u.dll.4.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.4.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.4.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.4.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.4.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.4.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.4.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.4.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.4.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.4.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.4.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.4.dr	Static PE information: section name: .favk
Source: MFC42u.dll.4.dr	Static PE information: section name: .vhtukj
Source: MFC42u.dll.4.dr	Static PE information: section name: .hmbyox
Source: MFC42u.dll.4.dr	Static PE information: section name: .txms
Source: MFC42u.dll.4.dr	Static PE information: section name: .vqqm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cbwb
Source: MFC42u.dll.4.dr	Static PE information: section name: .cti
Source: MFC42u.dll.4.dr	Static PE information: section name: .ktfjac
Source: MFC42u.dll.4.dr	Static PE information: section name: .hvmici
Source: MFC42u.dll.4.dr	Static PE information: section name: .bvyyd
Source: MFC42u.dll.4.dr	Static PE information: section name: .qhjn
Source: MFC42u.dll.4.dr	Static PE information: section name: .bsvkca
Source: MFC42u.dll.4.dr	Static PE information: section name: .nvpgx
Source: MFC42u.dll.4.dr	Static PE information: section name: .yaa
Source: MFC42u.dll.4.dr	Static PE information: section name: .qsimby
Source: MFC42u.dll.4.dr	Static PE information: section name: .dibg
Source: MFC42u.dll.4.dr	Static PE information: section name: .odxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .zczpdd
Source: MFC42u.dll.4.dr	Static PE information: section name: .iceycz
Source: MFC42u.dll.4.dr	Static PE information: section name: .lwp
Source: MFC42u.dll.4.dr	Static PE information: section name: .ejt
Source: MFC42u.dll.4.dr	Static PE information: section name: .gzpi
Source: MFC42u.dll.4.dr	Static PE information: section name: .oima
Source: MFC42u.dll.4.dr	Static PE information: section name: .hpnemo
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .favk
Source: VERSION.dll.4.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll.4.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll.4.dr	Static PE information: section name: .txms
Source: VERSION.dll.4.dr	Static PE information: section name: .vqqm
Source: VERSION.dll.4.dr	Static PE information: section name: .cbwb
Source: VERSION.dll.4.dr	Static PE information: section name: .cti
Source: VERSION.dll.4.dr	Static PE information: section name: .ktfjac
Source: VERSION.dll.4.dr	Static PE information: section name: .hvmici
Source: VERSION.dll.4.dr	Static PE information: section name: .bvyyd
Source: VERSION.dll.4.dr	Static PE information: section name: .qhjn
Source: VERSION.dll.4.dr	Static PE information: section name: .bsvkca
Source: VERSION.dll.4.dr	Static PE information: section name: .nvpgx
Source: VERSION.dll.4.dr	Static PE information: section name: .yaa
Source: VERSION.dll.4.dr	Static PE information: section name: .qsimby
Source: VERSION.dll.4.dr	Static PE information: section name: .dibg
Source: VERSION.dll.4.dr	Static PE information: section name: .odxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .zczpdd
Source: VERSION.dll.4.dr	Static PE information: section name: .iceycz
Source: VERSION.dll.4.dr	Static PE information: section name: .lwp
Source: VERSION.dll.4.dr	Static PE information: section name: .ejt
Source: VERSION.dll.4.dr	Static PE information: section name: .gzpi
Source: VERSION.dll.4.dr	Static PE information: section name: .oima
Source: VERSION.dll.4.dr	Static PE information: section name: .wgfpbw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qkm
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .rpg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .pjf
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .favk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vhtukj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .hmbyox
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .txms
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vqqm
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cbwb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cti
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ktfjac
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .hvmici
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bvyyd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qhjn
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bsvkca
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .nvpgx
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .yaa
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qsimby
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .dibg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .odxfk
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .zczpdd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .iceycz
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .lwp
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ejt
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .gzpi
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .oima
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ajokiy
Source: SppExtComObj.Exe.4.dr	Static PE information: section name: ?g_Encry

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,

34_2_00007FF7D5C84858

PE file contains an invalid checksum

Source: ACTIVEDS.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2158d9
Source: WTSAPI32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20a536
Source: DUI70.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x256371
Source: UxTheme.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x207aff
Source: wer.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2121a1
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20c257
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21343c
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x256c7c
Source: WINMM.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2111d5
Source: X5C9EzCB7A.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x207a12
Source: dpx.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20f2f8
Source: UxTheme.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20c755
Source: MFC42u.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21abc9

Binary contains a suspicious time stamp

Source: wermgr.exe.4.dr

Static PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.59477523886

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\0Nty\recdisc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2vl\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\gxzS7\credui.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nom\mblctr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\8FwY\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\8FwY\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Bun\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\LnjKLu\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Mnd\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\h1G\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\gxzS7\perfmon.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iU8z5\wermgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\byYs\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\B8nn\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iU8z5\wer.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\byYs\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M5A\wer.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\M5A\wermgr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2vl\LicensingUI.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

34_2_00007FF7D5C74CD4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 5420

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\recdisc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Nom\mblctr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gxzS7\perfmon.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\LicensingUI.exe	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF740977CE0h

31_2_00007FF740977BC4

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,	31_2_00007FF740981BA0
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,	31_2_00007FF74097BE54
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,	34_2_00007FF7D5C871B0
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,	34_2_00007FF7D5CA30D8
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,	34_2_00007FF7D5C7F0AC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,	34_2_00007FF7D5CB89BC
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,	34_2_00007FF7D5C85B40
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	40_2_00007FF6EE1F1BC0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	40_2_00007FF6EE1F8D04

Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.265986163.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.268458783.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000004.00000000.298268024.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF7409749DC GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

31_2_00007FF7409749DC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,

34_2_00007FF7D5C84858

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740976BC0 WaitForSingleObjectEx,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,

31_2_00007FF740976BC0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740983140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF740983140
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Code function: 31_2_00007FF740982B00 SetUnhandledExceptionFilter,	31_2_00007FF740982B00
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD48F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF7D5CD48F4
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: 34_2_00007FF7D5CD4CF0 SetUnhandledExceptionFilter,	34_2_00007FF7D5CD4CF0
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE206AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00007FF6EE206AA4
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Code function: 40_2_00007FF6EE206830 SetUnhandledExceptionFilter,	40_2_00007FF6EE206830

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wer.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAE1CEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAE1CE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFFAC2B2A20 protect: page execute and read and write

DLL side loading technique detected

Source: C:\Windows\explorer.exe

Section loaded: C:\Windows\System32\wer.dll

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\loaddll64.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\loaddll64.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5CBD58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle,

34_2_00007FF7D5CBD58C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

31_2_00007FF74097AE50

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740981750 AllocateAndInitializeSid,CheckTokenMembership,RegOpenKeyExW,RegCloseKey,FreeSid,

31_2_00007FF740981750

Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.263442469.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\M5A\wermgr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\8FwY\wusa.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846,	34_2_00007FF7D5CA5814
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: GetLocaleInfoEx,	34_2_00007FF7D5C7E120
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free,	34_2_00007FF7D5C7DA70
Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe	Code function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846,	34_2_00007FF7D5C84934

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\M5A\wermgr.exe

Code function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey,

31_2_00007FF740977BC4

Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exe

Code function: 34_2_00007FF7D5C748FC GetVersion,#1441,LoadIconW,GetLastError,#1471,PostMessageW,ShellAboutW,#1471,#337,#626,memset,memset,#1471,PostMessageW,#1471,#1443,#2517,#1040,#852,

34_2_00007FF7D5C748FC

ID:	492086
Product:	CloudBasic
Start time:	10:48:48
Start date:	28.09.2021
Sample:	X5C9EzCB7A
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dc4fca98a02c5cc7ee5f565c56915c86
SHA1:	4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256:	ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\0Nty\ReAgent.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0F2CD68909E4CA4CB2925A2D530E611D	C797BFE2EB15E848B6F88E55873C03656F2399F1	8E807BDF55D7676C4D761950196962D65D9202DE71C74542CA46C30DF3EA85C8
C:\Users\user\AppData\Local\0Nty\recdisc.exe	PE32+ executable (GUI) x86-64, for MS Windows	D2AEFB37C329E455DC2C17D3AA049666	69C5182FDC8A86009113EE721C8F1632F7B3D2DB	A65F86E8EC62BEB3019E368E506DAB21FF872097EBF3FAEB4A3B23F2A08DFCE9
C:\Users\user\AppData\Local\2vl\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	B6247D6791F82E58D5D33122BD0F7C54	CC03732CEC968973E9F1AF26AFBEEB5D0F55FC3F	7AD71B0114C68798E5B61F406FCEDEA1F12F3BD2C70EDC0C35C35A4EADAF9F7C
C:\Users\user\AppData\Local\2vl\LicensingUI.exe	PE32+ executable (GUI) x86-64, for MS Windows	BA2B32F8E3717F4A9CA3D400410E539A	87FFA0CBBE8B528E2263EE7121264011D1F5C5A4	EC53F4520A49115D6E6CEE8CF896BCCA84E425BFB76E3FA904665F2A2F957BC8
C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe	PE32+ executable (GUI) x86-64, for MS Windows	BEAB16FEFCB7F62BBC135FB87DF7FDF2	EAF18190494496329573CAA3F95CACA6EF0FB6F6	E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
C:\Users\user\AppData\Local\4DETSU\MFC42u.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	44E6F4AE82E198545E40858C95CB304A	64799A505F32C595AB858A3F0DA66C69CC9C19DE	A469E652E33BA0D7E248176ABCB460912B7EF9AFEE0B976D6ADB0BB26601D353
C:\Users\user\AppData\Local\8FwY\dpx.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	84A402DFBA64739AF98A797BFF68AB60	C5734661A0BA49350157E021989BDB768178E607	6AC1496F60796CA15B0DBB61A0C2D81D6CD406B4A273BC2E036EE2CC94C7A333
C:\Users\user\AppData\Local\8FwY\wusa.exe	PE32+ executable (GUI) x86-64, for MS Windows	04CE745559916B99248F266BBF5F9ED9	76FA00103A89C735573D1D8946D8787A839475B6	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2A0973FA588371BB4A19B6CC0C7E00ED	B441B28BA295D9223EEB4CCC6660177EEA7FEED7	C063B7251B7AB553053CFCCE861C04C285D08830127403E2D0C888A48F71453D
C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe	PE32+ executable (GUI) x86-64, for MS Windows	809E11DECADAEBE2454EFEDD620C4769	A121B9FC2010247C65CE8975FE4D88F5E9AC953E	8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
C:\Users\user\AppData\Local\B8nn\Dxpserver.exe	PE32+ executable (GUI) x86-64, for MS Windows	DCCB1D350193BE0A26CEAFF602DB848E	02673E7070A589B5BF6F217558A06067B388A350	367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
C:\Users\user\AppData\Local\B8nn\XmlLite.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	CF749BC5C2122F394AF6B2AA66EF71CD	0369F942C144F4B33B596FD0EBB58F71B2F6D26B	14375D79237DA8A731ED43252FBFC4B53EED438945A2097C14FB4160EFAA2D73
C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe	PE32+ executable (GUI) x86-64, for MS Windows	E23643C785D498FF73B5C9D7EA173C3D	56296F1D29FC2DCBFAA1D991C87B10968C6D3882	40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
C:\Users\user\AppData\Local\Bun\MFC42u.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	B8583BCD3646915D6FA965A033928155	A8A80A042BFB3F23980F78B5695411BE670C1DC0	13BC74B3E5A8341A886C3C0F444783F611803D73BAA20202F18340FA5E48CA0D
C:\Users\user\AppData\Local\LnjKLu\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BA00B1255006B5B8A6F65DC6D2A59DAE	8CEC4C49EDF68431C794817D93C0FFCE933B4E2B	095A00A6D3B5FDF367B389858F6F7CE9ED2483D26B878681DEEE96CE6F9EB1E6
C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe	PE32+ executable (GUI) x86-64, for MS Windows	E7F0E9B3779E54CD271959C600A2A531	8006E2D1AA91798E48D8BFDE1EBF94A2D6BA6C0A	155CE33E0E145314FE9D8911BE69B8CBBD2AC09B7B6D98363F9BAA277C71954E
C:\Users\user\AppData\Local\M5A\wer.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	5F5B4F0BE7EDE9E5A344DF47CE0CDB88	25DA7FA0704227C2CA6F0F54EF5C73DF862198B2	B582E1DF3773DD2B0345F7CFD286B8F8B18975849320C1EE87D827AB590CAA82
C:\Users\user\AppData\Local\M5A\wermgr.exe	PE32+ executable (GUI) x86-64, for MS Windows	FF214585BF10206E21EA8EBA202FACFD	1ED4AE92D235497F62610078D51105C4634AFADE	C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
C:\Users\user\AppData\Local\Mnd\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	1AE7DB0FD99F869562057B3685B4419F	B403937ABF171D7B76725FBDC003872D45C67502	4FC37EF78A0B1F816556CF10A9942939832F72EF321F24B6BAF0152EDEB45D48
C:\Users\user\AppData\Local\Mnd\wextract.exe	PE32+ executable (GUI) x86-64, for MS Windows	ED93B350C8EEFC442758A00BC3EEDE2D	ADD14417939801C555BBBFFAF7388BD13DE2DE42	ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
C:\Users\user\AppData\Local\Nom\WTSAPI32.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6AABBD46074D1F4BA508D5F48258EEEF	0D326013154DD896F67F2808340896E6B886DEE6	CFD9A093AB4005696F5B11CD2599CED5A3DBC69F30E704BD5136B4B500FD140F
C:\Users\user\AppData\Local\Nom\mblctr.exe	PE32+ executable (GUI) x86-64, for MS Windows	0CE1C2D873D151A19FB993139D19E68B	269BDAE3FBF1BE67FCC779720EF5C647AF98DC16	DCDE80BC80BAD4FCEA64567B14C23595C407705E94EC2D1D39C8944039292904
C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	17E3E019DB12FE19F8993A2A664B0AF1	8436E71B27FF8EAF67D07D4F9BECB8175253F604	54F90A3391C70E1C1D51E347C3BBFFD8146814C3B9098DCE738680F1CFFFB1CD
C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe	PE32+ executable (GUI) x86-64, for MS Windows	2A9828E0C405422D166E0141054A04B3	84AA48946D4F9A9DFE4C1AF6F96C44B643229A73	94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
C:\Users\user\AppData\Local\QEkvVts\WFS.exe	PE32+ executable (GUI) x86-64, for MS Windows	CD6ACF3B997099B6CFB2417D3942F755	7376A8000CB7B5CE0F5DA783BAF9F9C2C36F1670	B699695F47AA8E8B70A21267BA1648B59B33BD677E29D334BC73EBB1A4B81F3E
C:\Users\user\AppData\Local\QEkvVts\WINMM.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	852F5FE3F15F82DBD91A3A5FFE27C781	E6E7BE15DE046D247F7FCBAF62825E9DD0E93390	85AAB65BC8DC5D02ACF566A14555F5544EE15550506660CCD240DA786AAB04F3
C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe	PE32+ executable (GUI) x86-64, for MS Windows	E2C775244B3951A401A9083DD742029A	B4DC87649038B7A4E86B5D6AEBAAD975ECE2F477	80CC3FB17D8CBB4A68F27C607A8D1C0208CEE892F6D2A2E222E18B23D4E0FC76
C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	158C1DF1885FC864E485F6ACE03E43AA	874621AD6CC12CA767A8693033BBEA1EEDEE25C1	0CDC4C9C52D67E9FAB9EBDC2C39F0D1D1D1042776B2CAA9C5AF3833817526427
C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9B62B394C76C05624097101E4F503CF9	82B5529C75A10E3DFF42DB4B241071ACECDCB071	D606489B4DD836A90E668FB799E13EC617BA7F12CE5EED969E6B887AF1551B47
C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe	PE32+ executable (GUI) x86-64, for MS Windows	96A8EF9387619D17BB30B024DDF52BF3	02DFA07143911500925C6298864477296F414AB0	ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A
C:\Users\user\AppData\Local\byYs\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	27B08379E48FF2EA436796B3BA872FB3	7F0271B8E7D0C7004998024591713132F9C7F449	0A5AC48F07DD100A1BF602A1D8B0FD6ED3B31315BCD6CED03FA7A9A8B55C5551
C:\Users\user\AppData\Local\byYs\wlrmdr.exe	PE32+ executable (GUI) x86-64, for MS Windows	4849E997AF1274DD145672A2F9BC0827	D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3	B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
C:\Users\user\AppData\Local\gxzS7\credui.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D8BF7ED579BFB7A50E4A529F70CF3992	AFD198A7352054DF47F147F47ED0CC2F136284FD	CC7BF835073F601CE20178DE8B86547E4D481735D22E35AB94FF7A18B24B3262
C:\Users\user\AppData\Local\gxzS7\perfmon.exe	PE32+ executable (GUI) x86-64, for MS Windows	BD9ABDEA680B56534CE7627E39270A7C	24FCF3E615F5E7F434244D90AE5C4EB90F7C5EB5	EB9FF0CDA3E15147BB0FE00984B75C5F7B04644957CCAC135996AC18C1FD3EED
C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	B5AADBED0CF9FCBC4DF667183EBCF3CC	BE5445DE7B7CFC449DB9EE4AA01B4EF85EC46F6C	0EDAE1B408B6ABCDF430CED04BE928D26B007F50BF8AD0DA8D2D95F029682CA4
C:\Users\user\AppData\Local\h1G\AgentService.exe	PE32+ executable (GUI) x86-64, for MS Windows	F7E36C20DB953DFF4FDDB817904C0E48	8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5	2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
C:\Users\user\AppData\Local\iU8z5\wer.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0F2F06886BBAF597A92F52E906C4CE03	CFDCD31E7AE917F24C94DAFD832E2AABC846AE15	DBF19D0AF4D465C1C986B3CAD125C54A3204DF84007D1104F583035F8B622B46
C:\Users\user\AppData\Local\iU8z5\wermgr.exe	PE32+ executable (GUI) x86-64, for MS Windows	FF214585BF10206E21EA8EBA202FACFD	1ED4AE92D235497F62610078D51105C4634AFADE	C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe	PE32+ executable (GUI) x86-64, for MS Windows	9012F9C6AC7F3F99ECDD37E24C9AC3BB	7B8268C1B847301C0B5372C2A76CCE326C74991E	4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	1DF68F7322A2C246D8E8E030719ABADD	25A86D132BFC21D4890018962C3578365E8C0757	AED0A6E8AC8AB86A2EB2888077512E0615DCF2820C45464A227384E7B02A735A
C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	EA53E60CCD953EACD6E4EC1A093544CF	3DFF3F21F3A31769BB487A8F34207F629CC6F2A9	6224FA0A9E564D0859E1D6951AAD9B2E5CC0BFA867E10085F9FF669424E54D94
C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe	PE32+ executable (GUI) x86-64, for MS Windows	9A68ADD12EB50DDE7586782C3EB9FF9C	2661E5F3562DD03C0ED21C33E2888E2FD1137D8C	62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe	PE32+ executable (GUI) x86-64, for MS Windows	CDD7C7DF2D0859AC3F4088423D11BD08	128789A2EA904F684B5DF2384BA6EEF4EB60FB8E	D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	268ECB8D07BC2F31469FF3C825FCAF4C	ECCC90BBF20D68C77BAD0C39E75F6467FE1EC101	C337124A0D68D9356040E1F5C514934208901DE875459FA463C232F306FB16C2
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	D94FDB48B116A14A2F2563F7E1AA8183	44E8DD08F074C105FD001FEFF961C42E4BCDB7F6	0AC6FF1517064A3976B4B1951CA95A302C7FDE49080C5DB4C8DC278C444DC7B1

Windows Analysis Report X5C9EzCB7A

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map