Windows Analysis Report 5i3yQOSqTm

AV Detection:

Multi AV Scanner detection for submitted file

Source: 5i3yQOSqTm.dll	Virustotal: Detection: 19%			Perma Link
Source: 5i3yQOSqTm.dll	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: 5i3yQOSqTm.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 5i3yQOSqTm.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.574975422.0000000004C67000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 0000001C.00000003.597669330.0000000004ED5000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000017.00000002.585364416.0000000000B42000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE20927 FindFirstFileExW,		0_2_6EE20927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE20927 FindFirstFileExW,		2_2_6EE20927

Networking:

Found strings which match to known social media urls

Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000025.00000003.738737480.000001E038C03000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

URLs found in memory or binary data

Source: svchost.exe, 00000004.00000002.622214676.0000019F85E61000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621423158.0000000004F1B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619241344.0000000004F1B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000001C.00000003.619241344.0000000004F1B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000004.00000002.622117475.0000019F85E13000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
Source: svchost.exe, 00000004.00000002.621987822.0000019F808B7000.00000004.00000001.sdmp, svchost.exe, 00000004.00000003.621423495.0000019F808B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: Amcache.hve.23.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.382112778.0000020610E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.379142007.0000020610E69000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382154384.0000020610E6B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.382139213.0000020610E4E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.379644083.0000020610E60000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382148880.0000020610E61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.379657424.0000020610E5A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382146085.0000020610E5B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379648907.0000020610E5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.379639919.0000020610E63000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.382143532.0000020610E56000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000A.00000003.379713180.0000020610E40000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.382133765.0000020610E41000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.382130004.0000020610E3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.341015452.0000020610E30000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379694312.0000020610E39000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.379684923.0000020610E43000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379704259.0000020610E46000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379668711.0000020610E42000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.micro
Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000025.00000003.729111764.000001E03877A000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000025.00000003.731786295.000001E03877B000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731823212.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731811576.000001E03879D000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731869215.000001E038777000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731800691.000001E03878C000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731837751.000001E0387D5000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.731851677.000001E0387BE000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.ca21e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.ca21e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.31721e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d12460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8d3508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d12460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8d3508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.31721e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.568532914.0000000000C8A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.567804185.000000000315A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.654439419.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527507715.00000000008BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: 5i3yQOSqTm.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Tormivkitze\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DC1291		0_2_00DC1291
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DC1CDB		0_2_00DC1CDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB52D1		0_2_00DB52D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA90D4		0_2_00DA90D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB28D5		0_2_00DB28D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DC20CE		0_2_00DC20CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB10CD		0_2_00DB10CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA2CC2		0_2_00DA2CC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA92C1		0_2_00DA92C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA46FA		0_2_00DA46FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA1EFB		0_2_00DA1EFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB40FE		0_2_00DB40FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA84F0		0_2_00DA84F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB62F5		0_2_00DB62F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB4CF5		0_2_00DB4CF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAC0EA		0_2_00DAC0EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB56E9		0_2_00DB56E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA40E2		0_2_00DA40E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBA29B		0_2_00DBA29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB009A		0_2_00DB009A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBE899		0_2_00DBE899
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAFE9D		0_2_00DAFE9D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB0A93		0_2_00DB0A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBCE90		0_2_00DBCE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB0E97		0_2_00DB0E97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAF48A		0_2_00DAF48A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAA083		0_2_00DAA083
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DACE5A		0_2_00DACE5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA6453		0_2_00DA6453
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBEA55		0_2_00DBEA55
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAAA4E		0_2_00DAAA4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA544C		0_2_00DA544C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB3043		0_2_00DB3043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAAE43		0_2_00DAAE43
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB7445		0_2_00DB7445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAFA78		0_2_00DAFA78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA387F		0_2_00DA387F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBB677		0_2_00DBB677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA3A6C		0_2_00DA3A6C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAEE60		0_2_00DAEE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAB464		0_2_00DAB464
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DC261E		0_2_00DC261E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA800A		0_2_00DA800A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBC205		0_2_00DBC205
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA243F		0_2_00DA243F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA3432		0_2_00DA3432
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA3228		0_2_00DA3228
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB282D		0_2_00DB282D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA9824		0_2_00DA9824
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA75D2		0_2_00DA75D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA19C0		0_2_00DA19C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBEDED		0_2_00DBEDED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA51EC		0_2_00DA51EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAA3E7		0_2_00DAA3E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB1591		0_2_00DB1591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAB191		0_2_00DAB191
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA7795		0_2_00DA7795
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA358B		0_2_00DA358B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB3782		0_2_00DB3782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA8D80		0_2_00DA8D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA4B81		0_2_00DA4B81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBDB87		0_2_00DBDB87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB85B8		0_2_00DB85B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA43BE		0_2_00DA43BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA59BF		0_2_00DA59BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBD7BE		0_2_00DBD7BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBE3B5		0_2_00DBE3B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB89A2		0_2_00DB89A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBE5A7		0_2_00DBE5A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBDDA5		0_2_00DBDDA5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB0BA4		0_2_00DB0BA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB6540		0_2_00DB6540
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DC0370		0_2_00DC0370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DACF6E		0_2_00DACF6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DABD61		0_2_00DABD61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA4D1E		0_2_00DA4D1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DACB13		0_2_00DACB13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB970A		0_2_00DB970A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBE10A		0_2_00DBE10A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB590E		0_2_00DB590E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB3D0C		0_2_00DB3D0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBBF0C		0_2_00DBBF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAF73B		0_2_00DAF73B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DBCD35		0_2_00DBCD35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DAA92F		0_2_00DAA92F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB9124		0_2_00DB9124
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE077B4		0_2_6EE077B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE09F10		0_2_6EE09F10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE01DE0		0_2_6EE01DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE0D530		0_2_6EE0D530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE03A90		0_2_6EE03A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE1E3A1		0_2_6EE1E3A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE10380		0_2_6EE10380
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE110C0		0_2_6EE110C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE068B0		0_2_6EE068B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE0A890		0_2_6EE0A890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE0E890		0_2_6EE0E890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE06070		0_2_6EE06070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE077B4		2_2_6EE077B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE09F10		2_2_6EE09F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE01DE0		2_2_6EE01DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE0D530		2_2_6EE0D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE03A90		2_2_6EE03A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE1E3A1		2_2_6EE1E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE10380		2_2_6EE10380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE110C0		2_2_6EE110C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE068B0		2_2_6EE068B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE0A890		2_2_6EE0A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE0E890		2_2_6EE0E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE06070		2_2_6EE06070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AB1291		3_2_00AB1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAEA55		3_2_00AAEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9F48A		3_2_00A9F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9A083		3_2_00A9A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA009A		3_2_00AA009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAA29B		3_2_00AAA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAE899		3_2_00AAE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9FE9D		3_2_00A9FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA0A93		3_2_00AA0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AACE90		3_2_00AACE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA0E97		3_2_00AA0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9C0EA		3_2_00A9C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA56E9		3_2_00AA56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A940E2		3_2_00A940E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A91EFB		3_2_00A91EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A946FA		3_2_00A946FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA40FE		3_2_00AA40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A984F0		3_2_00A984F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA62F5		3_2_00AA62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA4CF5		3_2_00AA4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AB20CE		3_2_00AB20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA10CD		3_2_00AA10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A992C1		3_2_00A992C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A92CC2		3_2_00A92CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AB1CDB		3_2_00AB1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA52D1		3_2_00AA52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A990D4		3_2_00A990D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA28D5		3_2_00AA28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A93228		3_2_00A93228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA282D		3_2_00AA282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A99824		3_2_00A99824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9243F		3_2_00A9243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A93432		3_2_00A93432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9800A		3_2_00A9800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAC205		3_2_00AAC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AB261E		3_2_00AB261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A93A6C		3_2_00A93A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9EE60		3_2_00A9EE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9B464		3_2_00A9B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9FA78		3_2_00A9FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9387F		3_2_00A9387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAB677		3_2_00AAB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9544C		3_2_00A9544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9AA4E		3_2_00A9AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA3043		3_2_00AA3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9AE43		3_2_00A9AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA7445		3_2_00AA7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9CE5A		3_2_00A9CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A96453		3_2_00A96453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA89A2		3_2_00AA89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAE5A7		3_2_00AAE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA0BA4		3_2_00AA0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AADDA5		3_2_00AADDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA85B8		3_2_00AA85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAD7BE		3_2_00AAD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A959BF		3_2_00A959BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A943BE		3_2_00A943BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAE3B5		3_2_00AAE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9358B		3_2_00A9358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A94B81		3_2_00A94B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA3782		3_2_00AA3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A98D80		3_2_00A98D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AADB87		3_2_00AADB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9B191		3_2_00A9B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA1591		3_2_00AA1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A97795		3_2_00A97795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A951EC		3_2_00A951EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAEDED		3_2_00AAEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9A3E7		3_2_00A9A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A919C0		3_2_00A919C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A975D2		3_2_00A975D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9A92F		3_2_00A9A92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA9124		3_2_00AA9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9F73B		3_2_00A9F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AACD35		3_2_00AACD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA970A		3_2_00AA970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AAE10A		3_2_00AAE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA590E		3_2_00AA590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA3D0C		3_2_00AA3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AABF0C		3_2_00AABF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A94D1E		3_2_00A94D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9CB13		3_2_00A9CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9CF6E		3_2_00A9CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A9BD61		3_2_00A9BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AB0370		3_2_00AB0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA6540		3_2_00AA6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F81291		16_2_00F81291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7EA55		16_2_00F7EA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F762F5		16_2_00F762F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F74CF5		16_2_00F74CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F684F0		16_2_00F684F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F740FE		16_2_00F740FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F646FA		16_2_00F646FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F61EFB		16_2_00F61EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F640E2		16_2_00F640E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6C0EA		16_2_00F6C0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F756E9		16_2_00F756E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F690D4		16_2_00F690D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F728D5		16_2_00F728D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F81CDB		16_2_00F81CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F752D1		16_2_00F752D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F62CC2		16_2_00F62CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F820CE		16_2_00F820CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F692C1		16_2_00F692C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F710CD		16_2_00F710CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F70E97		16_2_00F70E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F70A93		16_2_00F70A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7CE90		16_2_00F7CE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6FE9D		16_2_00F6FE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7A29B		16_2_00F7A29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7009A		16_2_00F7009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7E899		16_2_00F7E899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6A083		16_2_00F6A083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6F48A		16_2_00F6F48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7B677		16_2_00F7B677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6387F		16_2_00F6387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6FA78		16_2_00F6FA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6B464		16_2_00F6B464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6EE60		16_2_00F6EE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F63A6C		16_2_00F63A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F66453		16_2_00F66453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6CE5A		16_2_00F6CE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F77445		16_2_00F77445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F73043		16_2_00F73043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6AE43		16_2_00F6AE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6AA4E		16_2_00F6AA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6544C		16_2_00F6544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F63432		16_2_00F63432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6243F		16_2_00F6243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F69824		16_2_00F69824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7282D		16_2_00F7282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F63228		16_2_00F63228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F8261E		16_2_00F8261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7C205		16_2_00F7C205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6800A		16_2_00F6800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6A3E7		16_2_00F6A3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7EDED		16_2_00F7EDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F651EC		16_2_00F651EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F675D2		16_2_00F675D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F619C0		16_2_00F619C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7E3B5		16_2_00F7E3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F643BE		16_2_00F643BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F659BF		16_2_00F659BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7D7BE		16_2_00F7D7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F785B8		16_2_00F785B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7E5A7		16_2_00F7E5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7DDA5		16_2_00F7DDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F70BA4		16_2_00F70BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F789A2		16_2_00F789A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F67795		16_2_00F67795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F71591		16_2_00F71591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6B191		16_2_00F6B191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7DB87		16_2_00F7DB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F73782		16_2_00F73782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F68D80		16_2_00F68D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F64B81		16_2_00F64B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6358B		16_2_00F6358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F80370		16_2_00F80370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6BD61		16_2_00F6BD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6CF6E		16_2_00F6CF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F76540		16_2_00F76540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7CD35		16_2_00F7CD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6F73B		16_2_00F6F73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F79124		16_2_00F79124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6A92F		16_2_00F6A92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F6CB13		16_2_00F6CB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F64D1E		16_2_00F64D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7590E		16_2_00F7590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F73D0C		16_2_00F73D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7BF0C		16_2_00F7BF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7970A		16_2_00F7970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F7E10A		16_2_00F7E10A

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE01DE0 appears 97 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE1AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE01DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE1AC90 appears 33 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Sample is known by Antivirus

Source: 5i3yQOSqTm.dll	Virustotal: Detection: 19%
Source: 5i3yQOSqTm.dll	ReversingLabs: Detection: 17%

PE file has an executable .text section and no other executable section

Source: 5i3yQOSqTm.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,ajkaibu			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,akyncbgollmj			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld",BvsmkekIa			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Tormivkitze\hbajscvbpn.eld",Control_RunDLL			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26E.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal80.troj.evad.winDLL@46/21@0/1

Reads ini files

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5i3yQOSqTm.dll,Control_RunDLL

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4404:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5004:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1860
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5028:120:WilError_01

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 5i3yQOSqTm.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: 5i3yQOSqTm.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.574975422.0000000004C67000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 0000001C.00000003.597669330.0000000004ED5000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000017.00000003.577965989.0000000005071000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.602983454.0000000005251000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000017.00000002.585364416.0000000000B42000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.597304203.000000000106C000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DA13E7 push esi; retf		0_2_00DA13F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE26A93 push ecx; ret		0_2_6EE26AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE26A93 push ecx; ret		2_2_6EE26AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A913E7 push esi; retf		3_2_00A913F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F613E7 push esi; retf		16_2_00F613F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE0E690

Persistence and Installation Behavior:

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Tormivkitze\hbajscvbpn.eld:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5624	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5624	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 844	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE20927 FindFirstFileExW,		0_2_6EE20927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE20927 FindFirstFileExW,		2_2_6EE20927

Checks the free space of harddrives

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000025.00000002.765014279.000001E037E80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@@
Source: Amcache.hve.23.dr	Binary or memory string: VMware
Source: Amcache.hve.23.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual USB Mouse
Source: WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619138830.0000000004F06000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWz
Source: Amcache.hve.23.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: svchost.exe, 00000004.00000002.622198085.0000019F85E54000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.621830885.0000019F80829000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621402260.0000000004F08000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.619138830.0000000004F06000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.621333511.0000000004ED0000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.765156452.000001E037EE9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.23.dr	Binary or memory string: VMware, Inc.me
Source: svchost.exe, 00000006.00000002.785206676.000001D1BF041000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.784694135.000002163DC29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.23.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.23.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000004.00000002.622214676.0000019F85E61000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000025.00000002.765145830.000001E037EE1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWSYSTEM\C
Source: Amcache.hve.23.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.23.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.23.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.23.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.23.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.23.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.23.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: rundll32.exe, 00000002.00000003.520260330.00000000006E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8"P
Source: Amcache.hve.23.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.23.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EE20326

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE0E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

0_2_6EE0E690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE01290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

0_2_6EE01290

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DB07D2 mov eax, dword ptr fs:[00000030h]		0_2_00DB07D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE19990 mov eax, dword ptr fs:[00000030h]		0_2_6EE19990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE1EC0B mov ecx, dword ptr fs:[00000030h]		0_2_6EE1EC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE202CC mov eax, dword ptr fs:[00000030h]		0_2_6EE202CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE19920 mov esi, dword ptr fs:[00000030h]		0_2_6EE19920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE19920 mov eax, dword ptr fs:[00000030h]		0_2_6EE19920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE19990 mov eax, dword ptr fs:[00000030h]		2_2_6EE19990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE1EC0B mov ecx, dword ptr fs:[00000030h]		2_2_6EE1EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE202CC mov eax, dword ptr fs:[00000030h]		2_2_6EE202CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE19920 mov esi, dword ptr fs:[00000030h]		2_2_6EE19920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE19920 mov eax, dword ptr fs:[00000030h]		2_2_6EE19920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00AA07D2 mov eax, dword ptr fs:[00000030h]		3_2_00AA07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00F707D2 mov eax, dword ptr fs:[00000030h]		16_2_00F707D2

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DA2ADB LdrInitializeThunk,

0_2_00DA2ADB

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6EE1A462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6EE20326
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6EE1AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE1A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_6EE1A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE20326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6EE20326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE1AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6EE1AB0C

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5i3yQOSqTm.dll",#1			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1860 -ip 1860			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 304			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 348			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.593834961.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.569183968.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.570462325.0000000001680000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.592597065.0000000001680000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.787160929.0000000003370000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE1A584 cpuid

0_2_6EE1A584

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EE1A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EE1A755

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.23.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.23.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.784867873.0000022063C3D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.785225679.0000022063D02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 5.2.rundll32.exe.ca21e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.ca21e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.31721e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.f60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f83618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d12460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8d3508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d12460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.da0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.f60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.f83618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.8d3508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.31721e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.568855686.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.520020229.00000000006CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.654498844.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.569090954.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.784894715.0000000000D60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.568532914.0000000000C8A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.570083613.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.570281269.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.772094317.0000000000C4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.593746221.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527531884.0000000000A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.568102560.0000000000B00000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.567804185.000000000315A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.547175169.00000000005B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.593529130.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.592478741.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.622171924.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.654439419.0000000000CFA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.622274934.0000000000F7C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.567601226.0000000000E10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527507715.00000000008BA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.592320940.0000000000DA0000.00000040.00000010.sdmp, type: MEMORY