Windows Analysis Report Zd9TtpY4Kh

AV Detection:

Multi AV Scanner detection for submitted file

Source: Zd9TtpY4Kh.dll

ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: Zd9TtpY4Kh.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Zd9TtpY4Kh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.547405637.0000000004247000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.558985730.0000000000472000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDD0927 FindFirstFileExW,		0_2_6EDD0927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDD0927 FindFirstFileExW,		2_2_6EDD0927

Networking:

URLs found in memory or binary data

Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594100601.000000000492B000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594133771.000000000492E000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594163429.0000000004934000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.596176213.0000000004935000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: Amcache.hve.22.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000C.00000002.443019178.0000021775413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com/
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.417175938.0000021775469000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.458598242.000002177546B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.417200811.0000021775460000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000C.00000003.417204815.000002177545E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.455648502.000002177545B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417211454.000002177545A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.453235698.000002177544E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.456745075.0000021775461000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.417197364.0000021775463000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.454924916.0000021775456000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000C.00000002.451895729.0000021775441000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417263243.0000021775440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.450658909.000002177543C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.367845176.0000021775430000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417243666.0000021775439000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.417255421.0000021775446000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417221541.0000021775442000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.417236188.0000021775443000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.27521e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.27521e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.29121e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.29121e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2933508.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2da24b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2933508.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2da24b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.540904925.00000000028FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534967742.000000000273A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.538242653.000000000291A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.651948468.0000000002D8A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: Zd9TtpY4Kh.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kqkxkcs\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC1291		0_2_00FC1291
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA46FA		0_2_00FA46FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA1EFB		0_2_00FA1EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB40FE		0_2_00FB40FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA84F0		0_2_00FA84F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB62F5		0_2_00FB62F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB4CF5		0_2_00FB4CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAC0EA		0_2_00FAC0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB56E9		0_2_00FB56E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA40E2		0_2_00FA40E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC1CDB		0_2_00FC1CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB52D1		0_2_00FB52D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA90D4		0_2_00FA90D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB28D5		0_2_00FB28D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC20CE		0_2_00FC20CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB10CD		0_2_00FB10CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA2CC2		0_2_00FA2CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA92C1		0_2_00FA92C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBA29B		0_2_00FBA29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB009A		0_2_00FB009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBE899		0_2_00FBE899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAFE9D		0_2_00FAFE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB0A93		0_2_00FB0A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBCE90		0_2_00FBCE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB0E97		0_2_00FB0E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAF48A		0_2_00FAF48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAA083		0_2_00FAA083
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAFA78		0_2_00FAFA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA387F		0_2_00FA387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBB677		0_2_00FBB677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA3A6C		0_2_00FA3A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAEE60		0_2_00FAEE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAB464		0_2_00FAB464
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FACE5A		0_2_00FACE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA6453		0_2_00FA6453
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBEA55		0_2_00FBEA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAA4E		0_2_00FAAA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA544C		0_2_00FA544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB3043		0_2_00FB3043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAAE43		0_2_00FAAE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB7445		0_2_00FB7445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA243F		0_2_00FA243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA3432		0_2_00FA3432
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA3228		0_2_00FA3228
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB282D		0_2_00FB282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA9824		0_2_00FA9824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC261E		0_2_00FC261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA800A		0_2_00FA800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBC205		0_2_00FBC205
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBEDED		0_2_00FBEDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA51EC		0_2_00FA51EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAA3E7		0_2_00FAA3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA75D2		0_2_00FA75D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA19C0		0_2_00FA19C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB85B8		0_2_00FB85B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA43BE		0_2_00FA43BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA59BF		0_2_00FA59BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBD7BE		0_2_00FBD7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBE3B5		0_2_00FBE3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB89A2		0_2_00FB89A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBE5A7		0_2_00FBE5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBDDA5		0_2_00FBDDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB0BA4		0_2_00FB0BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB1591		0_2_00FB1591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAB191		0_2_00FAB191
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA7795		0_2_00FA7795
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA358B		0_2_00FA358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB3782		0_2_00FB3782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA8D80		0_2_00FA8D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA4B81		0_2_00FA4B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBDB87		0_2_00FBDB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC0370		0_2_00FC0370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FACF6E		0_2_00FACF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FABD61		0_2_00FABD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB6540		0_2_00FB6540
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAF73B		0_2_00FAF73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBCD35		0_2_00FBCD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FAA92F		0_2_00FAA92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB9124		0_2_00FB9124
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA4D1E		0_2_00FA4D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FACB13		0_2_00FACB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB970A		0_2_00FB970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBE10A		0_2_00FBE10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB590E		0_2_00FB590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB3D0C		0_2_00FB3D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FBBF0C		0_2_00FBBF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB77B4		0_2_6EDB77B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB9F10		0_2_6EDB9F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB1DE0		0_2_6EDB1DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBD530		0_2_6EDBD530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB3A90		0_2_6EDB3A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC0380		0_2_6EDC0380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDCE3A1		0_2_6EDCE3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC10C0		0_2_6EDC10C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBA890		0_2_6EDBA890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDBE890		0_2_6EDBE890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB68B0		0_2_6EDB68B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDB6070		0_2_6EDB6070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB77B4		2_2_6EDB77B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB9F10		2_2_6EDB9F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB1DE0		2_2_6EDB1DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBD530		2_2_6EDBD530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB3A90		2_2_6EDB3A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC0380		2_2_6EDC0380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDCE3A1		2_2_6EDCE3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC10C0		2_2_6EDC10C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBA890		2_2_6EDBA890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDBE890		2_2_6EDBE890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB68B0		2_2_6EDB68B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDB6070		2_2_6EDB6070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02861291		4_2_02861291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285EA55		4_2_0285EA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284A083		4_2_0284A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284F48A		4_2_0284F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02850E97		4_2_02850E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285CE90		4_2_0285CE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02850A93		4_2_02850A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284FE9D		4_2_0284FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285E899		4_2_0285E899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285A29B		4_2_0285A29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285009A		4_2_0285009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028492C1		4_2_028492C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02842CC2		4_2_02842CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028620CE		4_2_028620CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028510CD		4_2_028510CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028490D4		4_2_028490D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028528D5		4_2_028528D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028552D1		4_2_028552D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02861CDB		4_2_02861CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028440E2		4_2_028440E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028556E9		4_2_028556E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284C0EA		4_2_0284C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028562F5		4_2_028562F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02854CF5		4_2_02854CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028484F0		4_2_028484F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028540FE		4_2_028540FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028446FA		4_2_028446FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02841EFB		4_2_02841EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285C205		4_2_0285C205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284800A		4_2_0284800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0286261E		4_2_0286261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02849824		4_2_02849824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285282D		4_2_0285282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02843228		4_2_02843228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02843432		4_2_02843432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284243F		4_2_0284243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02857445		4_2_02857445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02853043		4_2_02853043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284AE43		4_2_0284AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284544C		4_2_0284544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284AA4E		4_2_0284AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02846453		4_2_02846453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284CE5A		4_2_0284CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284B464		4_2_0284B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284EE60		4_2_0284EE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02843A6C		4_2_02843A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285B677		4_2_0285B677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284387F		4_2_0284387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284FA78		4_2_0284FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285DB87		4_2_0285DB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02848D80		4_2_02848D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02844B81		4_2_02844B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02853782		4_2_02853782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284358B		4_2_0284358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02847795		4_2_02847795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02851591		4_2_02851591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284B191		4_2_0284B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285DDA5		4_2_0285DDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02850BA4		4_2_02850BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285E5A7		4_2_0285E5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028589A2		4_2_028589A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285E3B5		4_2_0285E3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028443BE		4_2_028443BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028459BF		4_2_028459BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285D7BE		4_2_0285D7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028585B8		4_2_028585B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028419C0		4_2_028419C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028475D2		4_2_028475D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284A3E7		4_2_0284A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285EDED		4_2_0285EDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028451EC		4_2_028451EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02853D0C		4_2_02853D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285BF0C		4_2_0285BF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285590E		4_2_0285590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285970A		4_2_0285970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285E10A		4_2_0285E10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284CB13		4_2_0284CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02844D1E		4_2_02844D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02859124		4_2_02859124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284A92F		4_2_0284A92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0285CD35		4_2_0285CD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284F73B		4_2_0284F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02856540		4_2_02856540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284BD61		4_2_0284BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0284CF6E		4_2_0284CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02860370		4_2_02860370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EE1291		16_2_02EE1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDEA55		16_2_02EDEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED56E9		16_2_02ED56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECC0EA		16_2_02ECC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC40E2		16_2_02EC40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED40FE		16_2_02ED40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC46FA		16_2_02EC46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC1EFB		16_2_02EC1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED62F5		16_2_02ED62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED4CF5		16_2_02ED4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC84F0		16_2_02EC84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EE20CE		16_2_02EE20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED10CD		16_2_02ED10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC92C1		16_2_02EC92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC2CC2		16_2_02EC2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EE1CDB		16_2_02EE1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC90D4		16_2_02EC90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED28D5		16_2_02ED28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED52D1		16_2_02ED52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECF48A		16_2_02ECF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECA083		16_2_02ECA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECFE9D		16_2_02ECFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDE899		16_2_02EDE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDA29B		16_2_02EDA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED009A		16_2_02ED009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED0E97		16_2_02ED0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDCE90		16_2_02EDCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED0A93		16_2_02ED0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC3A6C		16_2_02EC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECB464		16_2_02ECB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECEE60		16_2_02ECEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC387F		16_2_02EC387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECFA78		16_2_02ECFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDB677		16_2_02EDB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC544C		16_2_02EC544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECAA4E		16_2_02ECAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED7445		16_2_02ED7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED3043		16_2_02ED3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECAE43		16_2_02ECAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECCE5A		16_2_02ECCE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC6453		16_2_02EC6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED282D		16_2_02ED282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC3228		16_2_02EC3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC9824		16_2_02EC9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC243F		16_2_02EC243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC3432		16_2_02EC3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC800A		16_2_02EC800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDC205		16_2_02EDC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EE261E		16_2_02EE261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDEDED		16_2_02EDEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC51EC		16_2_02EC51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECA3E7		16_2_02ECA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC19C0		16_2_02EC19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC75D2		16_2_02EC75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDDDA5		16_2_02EDDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED0BA4		16_2_02ED0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDE5A7		16_2_02EDE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED89A2		16_2_02ED89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC43BE		16_2_02EC43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC59BF		16_2_02EC59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDD7BE		16_2_02EDD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED85B8		16_2_02ED85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDE3B5		16_2_02EDE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC358B		16_2_02EC358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDDB87		16_2_02EDDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC8D80		16_2_02EC8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC4B81		16_2_02EC4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED3782		16_2_02ED3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC7795		16_2_02EC7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED1591		16_2_02ED1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECB191		16_2_02ECB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECCF6E		16_2_02ECCF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECBD61		16_2_02ECBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EE0370		16_2_02EE0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED6540		16_2_02ED6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECA92F		16_2_02ECA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED9124		16_2_02ED9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECF73B		16_2_02ECF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDCD35		16_2_02EDCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED3D0C		16_2_02ED3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDBF0C		16_2_02EDBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED590E		16_2_02ED590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED970A		16_2_02ED970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EDE10A		16_2_02EDE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC4D1E		16_2_02EC4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ECCB13		16_2_02ECCB13

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EDCAC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EDB1DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDCAC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDB1DE0 appears 93 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Sample is known by Antivirus

Source: Zd9TtpY4Kh.dll

ReversingLabs: Detection: 17%

PE file has an executable .text section and no other executable section

Source: Zd9TtpY4Kh.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,ajkaibu			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,akyncbgollmj			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw",IADPmoEsmQuul			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kqkxkcs\syeog.ubw",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A77.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal80.troj.evad.winDLL@45/21@0/2

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Zd9TtpY4Kh.dll,Control_RunDLL

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1060:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5988:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5444
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4500:120:WilError_01

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Zd9TtpY4Kh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: Zd9TtpY4Kh.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.547405637.0000000004247000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.550124184.0000000004AE1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.579244132.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.558985730.0000000000472000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FA13E7 push esi; retf		0_2_00FA13F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDD6A93 push ecx; ret		0_2_6EDD6AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDD6A93 push ecx; ret		2_2_6EDD6AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028413E7 push esi; retf		4_2_028413F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02EC13E7 push esi; retf		16_2_02EC13F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDBE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EDBE690

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Kqkxkcs\syeog.ubw:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6224	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6288	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDD0927 FindFirstFileExW,		0_2_6EDD0927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDD0927 FindFirstFileExW,		2_2_6EDD0927

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Amcache.hve.22.dr	Binary or memory string: VMware
Source: Amcache.hve.22.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 00000005.00000002.631051852.000001B12B061000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.22.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000005.00000002.631039231.000001B12B054000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.630734667.000001B125A29000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594100601.000000000492B000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594133771.000000000492E000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.594163429.0000000004934000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.596176213.0000000004935000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.22.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: WerFault.exe, 00000018.00000002.596113457.0000000004900000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.22.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.22.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000007.00000002.774381529.00000281D2C41000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.774370076.0000029555629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EDCAB0C

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDBE690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EDBE690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDB1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6EDB1290

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FB07D2 mov eax, dword ptr fs:[00000030h]		0_2_00FB07D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC9990 mov eax, dword ptr fs:[00000030h]		0_2_6EDC9990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDCEC0B mov ecx, dword ptr fs:[00000030h]		0_2_6EDCEC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDD02CC mov eax, dword ptr fs:[00000030h]		0_2_6EDD02CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC9920 mov esi, dword ptr fs:[00000030h]		0_2_6EDC9920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDC9920 mov eax, dword ptr fs:[00000030h]		0_2_6EDC9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC9990 mov eax, dword ptr fs:[00000030h]		2_2_6EDC9990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDCEC0B mov ecx, dword ptr fs:[00000030h]		2_2_6EDCEC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDD02CC mov eax, dword ptr fs:[00000030h]		2_2_6EDD02CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC9920 mov esi, dword ptr fs:[00000030h]		2_2_6EDC9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDC9920 mov eax, dword ptr fs:[00000030h]		2_2_6EDC9920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_028507D2 mov eax, dword ptr fs:[00000030h]		4_2_028507D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_02ED07D2 mov eax, dword ptr fs:[00000030h]		16_2_02ED07D2

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FA2ADB LdrInitializeThunk,

0_2_00FA2ADB

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDCA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6EDCA462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6EDCAB0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EDD0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6EDD0326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDCA462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_6EDCA462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDCAB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6EDCAB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EDD0326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6EDD0326

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zd9TtpY4Kh.dll",#1			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5444 -ip 5444			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 320			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 168 -p 5444 -ip 5444			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 340			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.563156446.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.561900218.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.540227987.0000000001A40000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.542781571.0000000001A40000.00000002.00020000.sdmp, rundll32.exe, 0000001E.00000002.776456437.0000000002DC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDCA584 cpuid

0_2_6EDCA584

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EDCA755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EDCA755

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.22.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.22.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.774753733.000002E08A640000.00000004.00000001.sdmp	Binary or memory string: &@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.774572684.000002E08A629000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.775088869.000002E08A702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.27521e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.27521e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.29121e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1383618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.29121e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2933508.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2da24b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2933508.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2a00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.2da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1383618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2da24b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.539981294.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.562664559.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.507700136.0000000002EFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.540057881.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.540904925.00000000028FA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534967742.000000000273A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.561743739.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.538242653.000000000291A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537633031.0000000002660000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.534990244.0000000002840000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.542442475.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.563041724.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.651948468.0000000002D8A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.651976449.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.541263948.0000000002A00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.775119059.00000000026A0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.596937604.000000000137C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.561459077.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.542217719.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.521244679.0000000002DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.596698488.0000000000FA0000.00000040.00000010.sdmp, type: MEMORY