Windows Analysis Report FROqdaZTXE

AV Detection:

Multi AV Scanner detection for submitted file

Source: FROqdaZTXE.dll	Virustotal: Detection: 69%			Perma Link
Source: FROqdaZTXE.dll	Metadefender: Detection: 65%			Perma Link
Source: FROqdaZTXE.dll	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Source: FROqdaZTXE.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\BAz\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\37sFQt\WMsgAPI.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\4w8kc\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\BmHMcHp\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\L8kh7\mscms.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\BAz\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for sample

Source: FROqdaZTXE.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\BAz\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\37sFQt\WMsgAPI.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4w8kc\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BmHMcHp\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\L8kh7\mscms.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BAz\DUI70.dll	Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.5:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.108:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.108:443 -> 192.168.2.5:49830 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: FROqdaZTXE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000028.00000000.390587533.00007FF6E3C66000.00000002.00020000.sdmp
Source:	Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000028.00000000.390587533.00007FF6E3C66000.00000002.00020000.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005D290 FindFirstFileExW,

0_2_000000014005D290

Networking:

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443

Found strings which match to known social media urls

Source: explorer.exe, 00000009.00000000.280218749.0000000008BB0000.00000004.00000001.sdmp	String found in binary or memory: :2021092820210929: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000009.00000000.271936377.00000000089FF000.00000004.00000001.sdmp	String found in binary or memory: :2021092820210929: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000009.00000000.280084308.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021092820210929: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365l equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: explorer.exe, 00000009.00000000.280206394.0000000008BA4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000009.00000000.271936377.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.280084308.0000000008B68000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.280218749.0000000008BB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.5327400408745451 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUkh5fOLAUMX20ZV8xqf__2tu45ymTec8GQqE60qWk9cSV6VA3zk_7PBuUk4
Source: global traffic	HTTP traffic detected: GET /creative/p/11655/2021/9/15/28299829/89a22c36-158b-411c-9c2c-269457db6c00.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: crcdn01.adnxs-simple.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.6.139:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.70:443 -> 192.168.2.5:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.108:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.108:443 -> 192.168.2.5:49830 version: TLS 1.2

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000020.00000002.357565041.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.306023387.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.298078907.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.328825836.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.392891461.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.269372359.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.401652535.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.369118065.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.350560741.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.313866092.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.431388502.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.406765007.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.250016607.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.381961674.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.320703611.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.282558272.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.258163972.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.365133450.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.291132273.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.335325271.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.247188597.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.280311070.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.342840550.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.392634921.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870		0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270		0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0		0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340		0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80		0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0		0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0		0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0		0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40		0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0		0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30		0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010		0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010		0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020		0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840		0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850		0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080		0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880		0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0		0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0		0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0		0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100		0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100		0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110		0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910		0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120		0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120		0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940		0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140		0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140		0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950		0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170		0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980		0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0		0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0		0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0		0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0		0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0		0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0		0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00		0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00		0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220		0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40		0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50		0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60		0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0		0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0		0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00		0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300		0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20		0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340		0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340		0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40		0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40		0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60		0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370		0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80		0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390		0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0		0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0		0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0		0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0		0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0		0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0		0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0		0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B		0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424		0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D		0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436		0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D		0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440		0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40		0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446		0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490		0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00		0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520		0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20		0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530		0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530		0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540		0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540		0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50		0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570		0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580		0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0		0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0		0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0		0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0		0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0		0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0		0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0		0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620		0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630		0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650		0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80		0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80		0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0		0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0		0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0		0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0		0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0		0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0		0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0		0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20		0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730		0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780		0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80		0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0		0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0		0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0		0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0		0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C63778		40_2_00007FF6E3C63778
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C615EC		40_2_00007FF6E3C615EC
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C62BE8		40_2_00007FF6E3C62BE8
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C61B64		40_2_00007FF6E3C61B64

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,		0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,		0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C62E0C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,LocalAlloc,GetLastError,LocalFree,RtlNtStatusToDosError,RtlCompareUnicodeString,		40_2_00007FF6E3C62E0C
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C62F58 memset,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,		40_2_00007FF6E3C62F58

PE file contains executable resources (Code or Archives)

Source: DmNotificationBroker.exe.9.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains strange resources

Source: wlrmdr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: isoburn.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: isoburn.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: isoburn.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

PE file contains more sections than normal

Source: DUI70.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: WINSTA.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: DUI70.dll1.9.dr	Static PE information: Number of sections : 44 > 10
Source: VERSION.dll0.9.dr	Static PE information: Number of sections : 44 > 10
Source: credui.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: UxTheme.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: WTSAPI32.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: DUI70.dll0.9.dr	Static PE information: Number of sections : 44 > 10
Source: FROqdaZTXE.dll	Static PE information: Number of sections : 43 > 10
Source: WMsgAPI.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: mscms.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: VERSION.dll.9.dr	Static PE information: Number of sections : 44 > 10
Source: XmlLite.dll.9.dr	Static PE information: Number of sections : 44 > 10

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: FROqdaZTXE.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WMsgAPI.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: credui.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mscms.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: FROqdaZTXE.dll	Virustotal: Detection: 69%
Source: FROqdaZTXE.dll	Metadefender: Detection: 65%
Source: FROqdaZTXE.dll	ReversingLabs: Detection: 77%

PE file has an executable .text section and no other executable section

Source: FROqdaZTXE.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FROqdaZTXE.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DllCanUnloadNow
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6444 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmAttachMilContent
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmDefWindowProc
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmDetachMilContent
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableBlurBehindWindow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableComposition
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableMMCSS
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmExtendFrameIntoClientArea
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmFlush
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetColorizationColor
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetCompositionTimingInfo
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetGraphicsStreamClient
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetGraphicsStreamTransformHint
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetTransportAttributes
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetUnmetTabRequirements
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetWindowAttribute
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmInvalidateIconicBitmaps
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmIsCompositionEnabled
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\BAz\wlrmdr.exe C:\Users\user\AppData\Local\BAz\wlrmdr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\isoburn.exe C:\Windows\system32\isoburn.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmModifyPreviousDxFrameDuration
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FROqdaZTXE.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DllCanUnloadNow			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DllGetClassObject			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmAttachMilContent			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmDefWindowProc			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmDetachMilContent			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableBlurBehindWindow			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableComposition			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmEnableMMCSS			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmExtendFrameIntoClientArea			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmFlush			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetColorizationColor			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetCompositionTimingInfo			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetGraphicsStreamClient			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetGraphicsStreamTransformHint			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetTransportAttributes			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetUnmetTabRequirements			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmGetWindowAttribute			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmInvalidateIconicBitmaps			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmIsCompositionEnabled			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\FROqdaZTXE.dll,DwmModifyPreviousDxFrameDuration			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6444 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\BAz\wlrmdr.exe C:\Users\user\AppData\Local\BAz\wlrmdr.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\isoburn.exe C:\Windows\system32\isoburn.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2A92399C-2087-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF07320BAD625A7D53.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@78/116@12/6

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe

Code function: 40_2_00007FF6E3C613FC CoCreateInstance,

40_2_00007FF6E3C613FC

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe

Code function: 40_2_00007FF6E3C63464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,

40_2_00007FF6E3C63464

Runs a DLL by calling functions

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1

Creates mutexes

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{61ce2c79-4f2b-332d-3720-dce3aa584b87}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{f0b2043d-fa55-bf75-deae-d2141a225aac}

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a high image base, often used for DLLs

Source: FROqdaZTXE.dll

Static PE information: Image base 0x140000000 > 0x60000000

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Submission file is bigger than most known malware samples

Source: FROqdaZTXE.dll

Static file information: File size 2138112 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: FROqdaZTXE.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000028.00000000.390587533.00007FF6E3C66000.00000002.00020000.sdmp
Source:	Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000028.00000000.390587533.00007FF6E3C66000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: FROqdaZTXE.dll	Static PE information: section name: .qkm
Source: FROqdaZTXE.dll	Static PE information: section name: .cvjb
Source: FROqdaZTXE.dll	Static PE information: section name: .tlmkv
Source: FROqdaZTXE.dll	Static PE information: section name: .wucsxe
Source: FROqdaZTXE.dll	Static PE information: section name: .fltwtj
Source: FROqdaZTXE.dll	Static PE information: section name: .sfplio
Source: FROqdaZTXE.dll	Static PE information: section name: .rpg
Source: FROqdaZTXE.dll	Static PE information: section name: .bewzc
Source: FROqdaZTXE.dll	Static PE information: section name: .vksvaw
Source: FROqdaZTXE.dll	Static PE information: section name: .wmhg
Source: FROqdaZTXE.dll	Static PE information: section name: .kswemc
Source: FROqdaZTXE.dll	Static PE information: section name: .kaxfk
Source: FROqdaZTXE.dll	Static PE information: section name: .pjf
Source: FROqdaZTXE.dll	Static PE information: section name: .favk
Source: FROqdaZTXE.dll	Static PE information: section name: .vhtukj
Source: FROqdaZTXE.dll	Static PE information: section name: .hmbyox
Source: FROqdaZTXE.dll	Static PE information: section name: .djv
Source: FROqdaZTXE.dll	Static PE information: section name: .hpern
Source: FROqdaZTXE.dll	Static PE information: section name: .czzwqg
Source: FROqdaZTXE.dll	Static PE information: section name: .bzw
Source: FROqdaZTXE.dll	Static PE information: section name: .ghju
Source: FROqdaZTXE.dll	Static PE information: section name: .karcim
Source: FROqdaZTXE.dll	Static PE information: section name: .cnwlmb
Source: FROqdaZTXE.dll	Static PE information: section name: .epc
Source: FROqdaZTXE.dll	Static PE information: section name: .czbkvx
Source: FROqdaZTXE.dll	Static PE information: section name: .oyf
Source: FROqdaZTXE.dll	Static PE information: section name: .qdkm
Source: FROqdaZTXE.dll	Static PE information: section name: .onqsh
Source: FROqdaZTXE.dll	Static PE information: section name: .ekjyeh
Source: FROqdaZTXE.dll	Static PE information: section name: .gsm
Source: FROqdaZTXE.dll	Static PE information: section name: .xewx
Source: FROqdaZTXE.dll	Static PE information: section name: .zfgzs
Source: FROqdaZTXE.dll	Static PE information: section name: .ixtd
Source: FROqdaZTXE.dll	Static PE information: section name: .vqf
Source: FROqdaZTXE.dll	Static PE information: section name: .ism
Source: FROqdaZTXE.dll	Static PE information: section name: .zto
Source: FROqdaZTXE.dll	Static PE information: section name: .jfsn
Source: wlrmdr.exe.9.dr	Static PE information: section name: .imrsiv
Source: consent.exe.9.dr	Static PE information: section name: .didat
Source: consent.exe.9.dr	Static PE information: section name: consent
Source: rdpshell.exe.9.dr	Static PE information: section name: .didat
Source: psr.exe.9.dr	Static PE information: section name: .didat
Source: DmNotificationBroker.exe.9.dr	Static PE information: section name: .imrsiv
Source: DUI70.dll.9.dr	Static PE information: section name: .qkm
Source: DUI70.dll.9.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.9.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.9.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.9.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.9.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.9.dr	Static PE information: section name: .rpg
Source: DUI70.dll.9.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.9.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.9.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.9.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.9.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.9.dr	Static PE information: section name: .pjf
Source: DUI70.dll.9.dr	Static PE information: section name: .favk
Source: DUI70.dll.9.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll.9.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll.9.dr	Static PE information: section name: .djv
Source: DUI70.dll.9.dr	Static PE information: section name: .hpern
Source: DUI70.dll.9.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll.9.dr	Static PE information: section name: .bzw
Source: DUI70.dll.9.dr	Static PE information: section name: .ghju
Source: DUI70.dll.9.dr	Static PE information: section name: .karcim
Source: DUI70.dll.9.dr	Static PE information: section name: .cnwlmb
Source: DUI70.dll.9.dr	Static PE information: section name: .epc
Source: DUI70.dll.9.dr	Static PE information: section name: .czbkvx
Source: DUI70.dll.9.dr	Static PE information: section name: .oyf
Source: DUI70.dll.9.dr	Static PE information: section name: .qdkm
Source: DUI70.dll.9.dr	Static PE information: section name: .onqsh
Source: DUI70.dll.9.dr	Static PE information: section name: .ekjyeh
Source: DUI70.dll.9.dr	Static PE information: section name: .gsm
Source: DUI70.dll.9.dr	Static PE information: section name: .xewx
Source: DUI70.dll.9.dr	Static PE information: section name: .zfgzs
Source: DUI70.dll.9.dr	Static PE information: section name: .ixtd
Source: DUI70.dll.9.dr	Static PE information: section name: .vqf
Source: DUI70.dll.9.dr	Static PE information: section name: .ism
Source: DUI70.dll.9.dr	Static PE information: section name: .zto
Source: DUI70.dll.9.dr	Static PE information: section name: .jfsn
Source: DUI70.dll.9.dr	Static PE information: section name: .ajrhe
Source: UxTheme.dll.9.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.9.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.9.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.9.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.9.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.9.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.9.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.9.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.9.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.9.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.9.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.9.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.9.dr	Static PE information: section name: .pjf
Source: UxTheme.dll.9.dr	Static PE information: section name: .favk
Source: UxTheme.dll.9.dr	Static PE information: section name: .vhtukj
Source: UxTheme.dll.9.dr	Static PE information: section name: .hmbyox
Source: UxTheme.dll.9.dr	Static PE information: section name: .djv
Source: UxTheme.dll.9.dr	Static PE information: section name: .hpern
Source: UxTheme.dll.9.dr	Static PE information: section name: .czzwqg
Source: UxTheme.dll.9.dr	Static PE information: section name: .bzw
Source: UxTheme.dll.9.dr	Static PE information: section name: .ghju
Source: UxTheme.dll.9.dr	Static PE information: section name: .karcim
Source: UxTheme.dll.9.dr	Static PE information: section name: .cnwlmb
Source: UxTheme.dll.9.dr	Static PE information: section name: .epc
Source: UxTheme.dll.9.dr	Static PE information: section name: .czbkvx
Source: UxTheme.dll.9.dr	Static PE information: section name: .oyf
Source: UxTheme.dll.9.dr	Static PE information: section name: .qdkm
Source: UxTheme.dll.9.dr	Static PE information: section name: .onqsh
Source: UxTheme.dll.9.dr	Static PE information: section name: .ekjyeh
Source: UxTheme.dll.9.dr	Static PE information: section name: .gsm
Source: UxTheme.dll.9.dr	Static PE information: section name: .xewx
Source: UxTheme.dll.9.dr	Static PE information: section name: .zfgzs
Source: UxTheme.dll.9.dr	Static PE information: section name: .ixtd
Source: UxTheme.dll.9.dr	Static PE information: section name: .vqf
Source: UxTheme.dll.9.dr	Static PE information: section name: .ism
Source: UxTheme.dll.9.dr	Static PE information: section name: .zto
Source: UxTheme.dll.9.dr	Static PE information: section name: .jfsn
Source: UxTheme.dll.9.dr	Static PE information: section name: .uthm
Source: XmlLite.dll.9.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.9.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.9.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.9.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.9.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.9.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.9.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.9.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.9.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.9.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.9.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.9.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.9.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.9.dr	Static PE information: section name: .favk
Source: XmlLite.dll.9.dr	Static PE information: section name: .vhtukj
Source: XmlLite.dll.9.dr	Static PE information: section name: .hmbyox
Source: XmlLite.dll.9.dr	Static PE information: section name: .djv
Source: XmlLite.dll.9.dr	Static PE information: section name: .hpern
Source: XmlLite.dll.9.dr	Static PE information: section name: .czzwqg
Source: XmlLite.dll.9.dr	Static PE information: section name: .bzw
Source: XmlLite.dll.9.dr	Static PE information: section name: .ghju
Source: XmlLite.dll.9.dr	Static PE information: section name: .karcim
Source: XmlLite.dll.9.dr	Static PE information: section name: .cnwlmb
Source: XmlLite.dll.9.dr	Static PE information: section name: .epc
Source: XmlLite.dll.9.dr	Static PE information: section name: .czbkvx
Source: XmlLite.dll.9.dr	Static PE information: section name: .oyf
Source: XmlLite.dll.9.dr	Static PE information: section name: .qdkm
Source: XmlLite.dll.9.dr	Static PE information: section name: .onqsh
Source: XmlLite.dll.9.dr	Static PE information: section name: .ekjyeh
Source: XmlLite.dll.9.dr	Static PE information: section name: .gsm
Source: XmlLite.dll.9.dr	Static PE information: section name: .xewx
Source: XmlLite.dll.9.dr	Static PE information: section name: .zfgzs
Source: XmlLite.dll.9.dr	Static PE information: section name: .ixtd
Source: XmlLite.dll.9.dr	Static PE information: section name: .vqf
Source: XmlLite.dll.9.dr	Static PE information: section name: .ism
Source: XmlLite.dll.9.dr	Static PE information: section name: .zto
Source: XmlLite.dll.9.dr	Static PE information: section name: .jfsn
Source: XmlLite.dll.9.dr	Static PE information: section name: .yor
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .qkm
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .cvjb
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .tlmkv
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .wucsxe
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .fltwtj
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .sfplio
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .rpg
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .bewzc
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .vksvaw
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .wmhg
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .kswemc
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .kaxfk
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .pjf
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .favk
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .vhtukj
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .hmbyox
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .djv
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .hpern
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .czzwqg
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .bzw
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .ghju
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .karcim
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .cnwlmb
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .epc
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .czbkvx
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .oyf
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .qdkm
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .onqsh
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .ekjyeh
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .gsm
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .xewx
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .zfgzs
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .ixtd
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .vqf
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .ism
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .zto
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .jfsn
Source: WMsgAPI.dll.9.dr	Static PE information: section name: .zihagk
Source: credui.dll.9.dr	Static PE information: section name: .qkm
Source: credui.dll.9.dr	Static PE information: section name: .cvjb
Source: credui.dll.9.dr	Static PE information: section name: .tlmkv
Source: credui.dll.9.dr	Static PE information: section name: .wucsxe
Source: credui.dll.9.dr	Static PE information: section name: .fltwtj
Source: credui.dll.9.dr	Static PE information: section name: .sfplio
Source: credui.dll.9.dr	Static PE information: section name: .rpg
Source: credui.dll.9.dr	Static PE information: section name: .bewzc
Source: credui.dll.9.dr	Static PE information: section name: .vksvaw
Source: credui.dll.9.dr	Static PE information: section name: .wmhg
Source: credui.dll.9.dr	Static PE information: section name: .kswemc
Source: credui.dll.9.dr	Static PE information: section name: .kaxfk
Source: credui.dll.9.dr	Static PE information: section name: .pjf
Source: credui.dll.9.dr	Static PE information: section name: .favk
Source: credui.dll.9.dr	Static PE information: section name: .vhtukj
Source: credui.dll.9.dr	Static PE information: section name: .hmbyox
Source: credui.dll.9.dr	Static PE information: section name: .djv
Source: credui.dll.9.dr	Static PE information: section name: .hpern
Source: credui.dll.9.dr	Static PE information: section name: .czzwqg
Source: credui.dll.9.dr	Static PE information: section name: .bzw
Source: credui.dll.9.dr	Static PE information: section name: .ghju
Source: credui.dll.9.dr	Static PE information: section name: .karcim
Source: credui.dll.9.dr	Static PE information: section name: .cnwlmb
Source: credui.dll.9.dr	Static PE information: section name: .epc
Source: credui.dll.9.dr	Static PE information: section name: .czbkvx
Source: credui.dll.9.dr	Static PE information: section name: .oyf
Source: credui.dll.9.dr	Static PE information: section name: .qdkm
Source: credui.dll.9.dr	Static PE information: section name: .onqsh
Source: credui.dll.9.dr	Static PE information: section name: .ekjyeh
Source: credui.dll.9.dr	Static PE information: section name: .gsm
Source: credui.dll.9.dr	Static PE information: section name: .xewx
Source: credui.dll.9.dr	Static PE information: section name: .zfgzs
Source: credui.dll.9.dr	Static PE information: section name: .ixtd
Source: credui.dll.9.dr	Static PE information: section name: .vqf
Source: credui.dll.9.dr	Static PE information: section name: .ism
Source: credui.dll.9.dr	Static PE information: section name: .zto
Source: credui.dll.9.dr	Static PE information: section name: .jfsn
Source: credui.dll.9.dr	Static PE information: section name: .det
Source: VERSION.dll.9.dr	Static PE information: section name: .qkm
Source: VERSION.dll.9.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.9.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.9.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.9.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.9.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.9.dr	Static PE information: section name: .rpg
Source: VERSION.dll.9.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.9.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.9.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.9.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.9.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.9.dr	Static PE information: section name: .pjf
Source: VERSION.dll.9.dr	Static PE information: section name: .favk
Source: VERSION.dll.9.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll.9.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll.9.dr	Static PE information: section name: .djv
Source: VERSION.dll.9.dr	Static PE information: section name: .hpern
Source: VERSION.dll.9.dr	Static PE information: section name: .czzwqg
Source: VERSION.dll.9.dr	Static PE information: section name: .bzw
Source: VERSION.dll.9.dr	Static PE information: section name: .ghju
Source: VERSION.dll.9.dr	Static PE information: section name: .karcim
Source: VERSION.dll.9.dr	Static PE information: section name: .cnwlmb
Source: VERSION.dll.9.dr	Static PE information: section name: .epc
Source: VERSION.dll.9.dr	Static PE information: section name: .czbkvx
Source: VERSION.dll.9.dr	Static PE information: section name: .oyf
Source: VERSION.dll.9.dr	Static PE information: section name: .qdkm
Source: VERSION.dll.9.dr	Static PE information: section name: .onqsh
Source: VERSION.dll.9.dr	Static PE information: section name: .ekjyeh
Source: VERSION.dll.9.dr	Static PE information: section name: .gsm
Source: VERSION.dll.9.dr	Static PE information: section name: .xewx
Source: VERSION.dll.9.dr	Static PE information: section name: .zfgzs
Source: VERSION.dll.9.dr	Static PE information: section name: .ixtd
Source: VERSION.dll.9.dr	Static PE information: section name: .vqf
Source: VERSION.dll.9.dr	Static PE information: section name: .ism
Source: VERSION.dll.9.dr	Static PE information: section name: .zto
Source: VERSION.dll.9.dr	Static PE information: section name: .jfsn
Source: VERSION.dll.9.dr	Static PE information: section name: .iorjc
Source: WINSTA.dll.9.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.9.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.9.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.9.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.9.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.9.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.9.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.9.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.9.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.9.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.9.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.9.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.9.dr	Static PE information: section name: .pjf
Source: WINSTA.dll.9.dr	Static PE information: section name: .favk
Source: WINSTA.dll.9.dr	Static PE information: section name: .vhtukj
Source: WINSTA.dll.9.dr	Static PE information: section name: .hmbyox
Source: WINSTA.dll.9.dr	Static PE information: section name: .djv
Source: WINSTA.dll.9.dr	Static PE information: section name: .hpern
Source: WINSTA.dll.9.dr	Static PE information: section name: .czzwqg
Source: WINSTA.dll.9.dr	Static PE information: section name: .bzw
Source: WINSTA.dll.9.dr	Static PE information: section name: .ghju
Source: WINSTA.dll.9.dr	Static PE information: section name: .karcim
Source: WINSTA.dll.9.dr	Static PE information: section name: .cnwlmb
Source: WINSTA.dll.9.dr	Static PE information: section name: .epc
Source: WINSTA.dll.9.dr	Static PE information: section name: .czbkvx
Source: WINSTA.dll.9.dr	Static PE information: section name: .oyf
Source: WINSTA.dll.9.dr	Static PE information: section name: .qdkm
Source: WINSTA.dll.9.dr	Static PE information: section name: .onqsh
Source: WINSTA.dll.9.dr	Static PE information: section name: .ekjyeh
Source: WINSTA.dll.9.dr	Static PE information: section name: .gsm
Source: WINSTA.dll.9.dr	Static PE information: section name: .xewx
Source: WINSTA.dll.9.dr	Static PE information: section name: .zfgzs
Source: WINSTA.dll.9.dr	Static PE information: section name: .ixtd
Source: WINSTA.dll.9.dr	Static PE information: section name: .vqf
Source: WINSTA.dll.9.dr	Static PE information: section name: .ism
Source: WINSTA.dll.9.dr	Static PE information: section name: .zto
Source: WINSTA.dll.9.dr	Static PE information: section name: .jfsn
Source: WINSTA.dll.9.dr	Static PE information: section name: .iscbu
Source: DUI70.dll0.9.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.9.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.9.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.9.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.9.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.9.dr	Static PE information: section name: .sfplio
Source: DUI70.dll0.9.dr	Static PE information: section name: .rpg
Source: DUI70.dll0.9.dr	Static PE information: section name: .bewzc
Source: DUI70.dll0.9.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll0.9.dr	Static PE information: section name: .wmhg
Source: DUI70.dll0.9.dr	Static PE information: section name: .kswemc
Source: DUI70.dll0.9.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll0.9.dr	Static PE information: section name: .pjf
Source: DUI70.dll0.9.dr	Static PE information: section name: .favk
Source: DUI70.dll0.9.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll0.9.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll0.9.dr	Static PE information: section name: .djv
Source: DUI70.dll0.9.dr	Static PE information: section name: .hpern
Source: DUI70.dll0.9.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll0.9.dr	Static PE information: section name: .bzw
Source: DUI70.dll0.9.dr	Static PE information: section name: .ghju
Source: DUI70.dll0.9.dr	Static PE information: section name: .karcim
Source: DUI70.dll0.9.dr	Static PE information: section name: .cnwlmb
Source: DUI70.dll0.9.dr	Static PE information: section name: .epc
Source: DUI70.dll0.9.dr	Static PE information: section name: .czbkvx
Source: DUI70.dll0.9.dr	Static PE information: section name: .oyf
Source: DUI70.dll0.9.dr	Static PE information: section name: .qdkm
Source: DUI70.dll0.9.dr	Static PE information: section name: .onqsh
Source: DUI70.dll0.9.dr	Static PE information: section name: .ekjyeh
Source: DUI70.dll0.9.dr	Static PE information: section name: .gsm
Source: DUI70.dll0.9.dr	Static PE information: section name: .xewx
Source: DUI70.dll0.9.dr	Static PE information: section name: .zfgzs
Source: DUI70.dll0.9.dr	Static PE information: section name: .ixtd
Source: DUI70.dll0.9.dr	Static PE information: section name: .vqf
Source: DUI70.dll0.9.dr	Static PE information: section name: .ism
Source: DUI70.dll0.9.dr	Static PE information: section name: .zto
Source: DUI70.dll0.9.dr	Static PE information: section name: .jfsn
Source: DUI70.dll0.9.dr	Static PE information: section name: .kdptey
Source: mscms.dll.9.dr	Static PE information: section name: .qkm
Source: mscms.dll.9.dr	Static PE information: section name: .cvjb
Source: mscms.dll.9.dr	Static PE information: section name: .tlmkv
Source: mscms.dll.9.dr	Static PE information: section name: .wucsxe
Source: mscms.dll.9.dr	Static PE information: section name: .fltwtj
Source: mscms.dll.9.dr	Static PE information: section name: .sfplio
Source: mscms.dll.9.dr	Static PE information: section name: .rpg
Source: mscms.dll.9.dr	Static PE information: section name: .bewzc
Source: mscms.dll.9.dr	Static PE information: section name: .vksvaw
Source: mscms.dll.9.dr	Static PE information: section name: .wmhg
Source: mscms.dll.9.dr	Static PE information: section name: .kswemc
Source: mscms.dll.9.dr	Static PE information: section name: .kaxfk
Source: mscms.dll.9.dr	Static PE information: section name: .pjf
Source: mscms.dll.9.dr	Static PE information: section name: .favk
Source: mscms.dll.9.dr	Static PE information: section name: .vhtukj
Source: mscms.dll.9.dr	Static PE information: section name: .hmbyox
Source: mscms.dll.9.dr	Static PE information: section name: .djv
Source: mscms.dll.9.dr	Static PE information: section name: .hpern
Source: mscms.dll.9.dr	Static PE information: section name: .czzwqg
Source: mscms.dll.9.dr	Static PE information: section name: .bzw
Source: mscms.dll.9.dr	Static PE information: section name: .ghju
Source: mscms.dll.9.dr	Static PE information: section name: .karcim
Source: mscms.dll.9.dr	Static PE information: section name: .cnwlmb
Source: mscms.dll.9.dr	Static PE information: section name: .epc
Source: mscms.dll.9.dr	Static PE information: section name: .czbkvx
Source: mscms.dll.9.dr	Static PE information: section name: .oyf
Source: mscms.dll.9.dr	Static PE information: section name: .qdkm
Source: mscms.dll.9.dr	Static PE information: section name: .onqsh
Source: mscms.dll.9.dr	Static PE information: section name: .ekjyeh
Source: mscms.dll.9.dr	Static PE information: section name: .gsm
Source: mscms.dll.9.dr	Static PE information: section name: .xewx
Source: mscms.dll.9.dr	Static PE information: section name: .zfgzs
Source: mscms.dll.9.dr	Static PE information: section name: .ixtd
Source: mscms.dll.9.dr	Static PE information: section name: .vqf
Source: mscms.dll.9.dr	Static PE information: section name: .ism
Source: mscms.dll.9.dr	Static PE information: section name: .zto
Source: mscms.dll.9.dr	Static PE information: section name: .jfsn
Source: mscms.dll.9.dr	Static PE information: section name: .gnaexi
Source: VERSION.dll0.9.dr	Static PE information: section name: .qkm
Source: VERSION.dll0.9.dr	Static PE information: section name: .cvjb
Source: VERSION.dll0.9.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll0.9.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll0.9.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll0.9.dr	Static PE information: section name: .sfplio
Source: VERSION.dll0.9.dr	Static PE information: section name: .rpg
Source: VERSION.dll0.9.dr	Static PE information: section name: .bewzc
Source: VERSION.dll0.9.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll0.9.dr	Static PE information: section name: .wmhg
Source: VERSION.dll0.9.dr	Static PE information: section name: .kswemc
Source: VERSION.dll0.9.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll0.9.dr	Static PE information: section name: .pjf
Source: VERSION.dll0.9.dr	Static PE information: section name: .favk
Source: VERSION.dll0.9.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll0.9.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll0.9.dr	Static PE information: section name: .djv
Source: VERSION.dll0.9.dr	Static PE information: section name: .hpern
Source: VERSION.dll0.9.dr	Static PE information: section name: .czzwqg
Source: VERSION.dll0.9.dr	Static PE information: section name: .bzw
Source: VERSION.dll0.9.dr	Static PE information: section name: .ghju
Source: VERSION.dll0.9.dr	Static PE information: section name: .karcim
Source: VERSION.dll0.9.dr	Static PE information: section name: .cnwlmb
Source: VERSION.dll0.9.dr	Static PE information: section name: .epc
Source: VERSION.dll0.9.dr	Static PE information: section name: .czbkvx
Source: VERSION.dll0.9.dr	Static PE information: section name: .oyf
Source: VERSION.dll0.9.dr	Static PE information: section name: .qdkm
Source: VERSION.dll0.9.dr	Static PE information: section name: .onqsh
Source: VERSION.dll0.9.dr	Static PE information: section name: .ekjyeh
Source: VERSION.dll0.9.dr	Static PE information: section name: .gsm
Source: VERSION.dll0.9.dr	Static PE information: section name: .xewx
Source: VERSION.dll0.9.dr	Static PE information: section name: .zfgzs
Source: VERSION.dll0.9.dr	Static PE information: section name: .ixtd
Source: VERSION.dll0.9.dr	Static PE information: section name: .vqf
Source: VERSION.dll0.9.dr	Static PE information: section name: .ism
Source: VERSION.dll0.9.dr	Static PE information: section name: .zto
Source: VERSION.dll0.9.dr	Static PE information: section name: .jfsn
Source: VERSION.dll0.9.dr	Static PE information: section name: .fkmwb
Source: DUI70.dll1.9.dr	Static PE information: section name: .qkm
Source: DUI70.dll1.9.dr	Static PE information: section name: .cvjb
Source: DUI70.dll1.9.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll1.9.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll1.9.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll1.9.dr	Static PE information: section name: .sfplio
Source: DUI70.dll1.9.dr	Static PE information: section name: .rpg
Source: DUI70.dll1.9.dr	Static PE information: section name: .bewzc
Source: DUI70.dll1.9.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll1.9.dr	Static PE information: section name: .wmhg
Source: DUI70.dll1.9.dr	Static PE information: section name: .kswemc
Source: DUI70.dll1.9.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll1.9.dr	Static PE information: section name: .pjf
Source: DUI70.dll1.9.dr	Static PE information: section name: .favk
Source: DUI70.dll1.9.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll1.9.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll1.9.dr	Static PE information: section name: .djv
Source: DUI70.dll1.9.dr	Static PE information: section name: .hpern
Source: DUI70.dll1.9.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll1.9.dr	Static PE information: section name: .bzw
Source: DUI70.dll1.9.dr	Static PE information: section name: .ghju
Source: DUI70.dll1.9.dr	Static PE information: section name: .karcim
Source: DUI70.dll1.9.dr	Static PE information: section name: .cnwlmb
Source: DUI70.dll1.9.dr	Static PE information: section name: .epc
Source: DUI70.dll1.9.dr	Static PE information: section name: .czbkvx
Source: DUI70.dll1.9.dr	Static PE information: section name: .oyf
Source: DUI70.dll1.9.dr	Static PE information: section name: .qdkm
Source: DUI70.dll1.9.dr	Static PE information: section name: .onqsh
Source: DUI70.dll1.9.dr	Static PE information: section name: .ekjyeh
Source: DUI70.dll1.9.dr	Static PE information: section name: .gsm
Source: DUI70.dll1.9.dr	Static PE information: section name: .xewx
Source: DUI70.dll1.9.dr	Static PE information: section name: .zfgzs
Source: DUI70.dll1.9.dr	Static PE information: section name: .ixtd
Source: DUI70.dll1.9.dr	Static PE information: section name: .vqf
Source: DUI70.dll1.9.dr	Static PE information: section name: .ism
Source: DUI70.dll1.9.dr	Static PE information: section name: .zto
Source: DUI70.dll1.9.dr	Static PE information: section name: .jfsn
Source: DUI70.dll1.9.dr	Static PE information: section name: .bwn
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .favk
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .vhtukj
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .hmbyox
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .djv
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .hpern
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .czzwqg
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .bzw
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .ghju
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .karcim
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .cnwlmb
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .epc
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .czbkvx
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .oyf
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .qdkm
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .onqsh
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .ekjyeh
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .gsm
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .xewx
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .zfgzs
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .ixtd
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .vqf
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .ism
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .zto
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .jfsn
Source: WTSAPI32.dll.9.dr	Static PE information: section name: .zkc

PE file contains an invalid checksum

Source: DUI70.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25217a
Source: WINSTA.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x213e42
Source: DUI70.dll1.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25f25e
Source: VERSION.dll0.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21a5fc
Source: credui.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20cc42
Source: UxTheme.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21877e
Source: WTSAPI32.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20e4d8
Source: DUI70.dll0.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x252798
Source: FROqdaZTXE.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x216706
Source: WMsgAPI.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20cab7
Source: mscms.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21739b
Source: VERSION.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2115a9
Source: XmlLite.dll.9.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21a7ec

Binary contains a suspicious time stamp

Source: wlrmdr.exe.9.dr

Static PE information: 0x89963288 [Mon Feb 23 16:32:08 2043 UTC]

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\FROqdaZTXE.dll

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lT4\UxTheme.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sWszceF\rdpshell.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\BAz\wlrmdr.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\veHY9uq\WTSAPI32.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\upa\perfmon.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\L8kh7\mscms.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\37sFQt\consent.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4w8kc\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\L8kh7\dccw.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\IUlxz4RrJ\DmNotificationBroker.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\IUlxz4RrJ\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\jp17lp\iexpress.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\veHY9uq\rdpclip.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\37sFQt\WMsgAPI.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\lT4\isoburn.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sWszceF\WINSTA.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\upa\credui.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\rNUx\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\rNUx\bdechangepin.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4w8kc\psr.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\BmHMcHp\XmlLite.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\BAz\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\jp17lp\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\BmHMcHp\printfilterpipelinesvc.exe			Jump to dropped file

Boot Survival:

Contains functionality to start windows services

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe

Code function: 40_2_00007FF6E3C63464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,

40_2_00007FF6E3C63464

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 6316

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IUlxz4RrJ\DmNotificationBroker.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sWszceF\rdpshell.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\veHY9uq\WTSAPI32.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\jp17lp\iexpress.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\veHY9uq\rdpclip.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\37sFQt\WMsgAPI.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\upa\perfmon.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sWszceF\WINSTA.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\upa\credui.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\L8kh7\mscms.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\37sFQt\consent.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\rNUx\bdechangepin.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4w8kc\psr.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4w8kc\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\L8kh7\dccw.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BmHMcHp\XmlLite.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\jp17lp\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BmHMcHp\printfilterpipelinesvc.exe			Jump to dropped file

Queries a list of all running processes

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to query system information

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005D290 FindFirstFileExW,

0_2_000000014005D290

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000009.00000000.334535103.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.251111625.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000009.00000000.324132758.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000009.00000000.293452319.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000009.00000000.324132758.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C64014 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		40_2_00007FF6E3C64014
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C63D90 SetUnhandledExceptionFilter,		40_2_00007FF6E3C63D90

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.9.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFA9B8EEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFA9B8EE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFA9B312A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\regsvr32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\regsvr32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\FROqdaZTXE.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000009.00000000.251421594.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.251421594.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.251421594.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000009.00000000.311700369.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000009.00000000.251421594.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000009.00000000.251421594.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe

Code function: 40_2_00007FF6E3C63F20 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

40_2_00007FF6E3C63F20

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe

Code function: 40_2_00007FF6E3C61B64 memset,GetModuleHandleW,LoadStringW,LocalAlloc,GetUserNameExW,GetLastError,LocalAlloc,LocalFree,LocalFree,WindowsDeleteString,WindowsDeleteString,GetUserNameExW,wcschr,WindowsCreateString,WindowsDeleteString,WindowsCreateString,WindowsDeleteString,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsIsStringEmpty,WindowsIsStringEmpty,WindowsCreateStringReference,RaiseException,RoActivateInstance,RaiseException,WindowsCreateStringReference,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,GetSystemTimeAsFileTime,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsCreateStringReference,RaiseException,

40_2_00007FF6E3C61B64

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C63578 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree,		40_2_00007FF6E3C63578
Source: C:\Users\user\AppData\Local\BAz\wlrmdr.exe	Code function: 40_2_00007FF6E3C63020 memset,RpcBindingFree,GetAncestor,EnableWindow,CloseHandle,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,EnableWindow,LocalFree,		40_2_00007FF6E3C63020