Windows Analysis Report as0Jkr7Dca

Overview

General Information

Sample Name:	as0Jkr7Dca (renamed file extension from none to dll)
Analysis ID:	483806
MD5:	3839da365172e8011da03c3ef023c33c
SHA1:	060aaed3fe83b9333dbd19ac22471cc8ded3c9f8
SHA256:	2356048d0182a32df2892b64db99f58634681c33cb0104a3ad3b62510a534454
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Drops files with a non-matching file extension (content does not match file extension)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: as0Jkr7Dca.dll	Virustotal: Detection: 64%	Perma Link
Source: as0Jkr7Dca.dll	Metadefender: Detection: 62%	Perma Link
Source: as0Jkr7Dca.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: as0Jkr7Dca.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: as0Jkr7Dca.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A188290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,

40_2_00007FF75A188290

Source: as0Jkr7Dca.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	31_2_00007FF6A7B41EC0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	40_2_00007FF75A18A104

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000001F.00000002.393975401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.222388463.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.245117610.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.451790236.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.477912274.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.227069993.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.362477458.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.236556937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.420737755.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.334750401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.257049994.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266033860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.259716676.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B4297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		31_2_00007FF6A7B4297C

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870	1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270	1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0	1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340	1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80	1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0	1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0	1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0	1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40	1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0	1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30	1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010	1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010	1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020	1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840	1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850	1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080	1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880	1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0	1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0	1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0	1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100	1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100	1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110	1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910	1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120	1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120	1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940	1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140	1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140	1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950	1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170	1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980	1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0	1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0	1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0	1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0	1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0	1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0	1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00	1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00	1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220	1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40	1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50	1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60	1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0	1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0	1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00	1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300	1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20	1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340	1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340	1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40	1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40	1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60	1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370	1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80	1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390	1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0	1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0	1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0	1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0	1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0	1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0	1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0	1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B	1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424	1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D	1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436	1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D	1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440	1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40	1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446	1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490	1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00	1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520	1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20	1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530	1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530	1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540	1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540	1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50	1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570	1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580	1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0	1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0	1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0	1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0	1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0	1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0	1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0	1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620	1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630	1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650	1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80	1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80	1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0	1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0	1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0	1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0	1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0	1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0	1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0	1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20	1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730	1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780	1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80	1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0	1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0	1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0	1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0	1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41C00	31_2_00007FF6A7B41C00
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B43310	31_2_00007FF6A7B43310
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10	31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B46418	31_2_00007FF6A7B46418
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B457D0	31_2_00007FF6A7B457D0
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B45E98	31_2_00007FF6A7B45E98
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B42AB4	31_2_00007FF6A7B42AB4
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B43D64	31_2_00007FF6A7B43D64
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51078	33_2_00007FF675B51078
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E68500	36_2_00007FF652E68500
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E354E0	36_2_00007FF652E354E0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E664D0	36_2_00007FF652E664D0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E404AC	36_2_00007FF652E404AC
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E80498	36_2_00007FF652E80498
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBA450	36_2_00007FF652EBA450
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4E444	36_2_00007FF652E4E444
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E86158	36_2_00007FF652E86158
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E8115E	36_2_00007FF652E8115E
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9C278	36_2_00007FF652E9C278
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ECE834	36_2_00007FF652ECE834
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4858C	36_2_00007FF652E4858C
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E67580	36_2_00007FF652E67580
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9D6FC	36_2_00007FF652E9D6FC
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E796D8	36_2_00007FF652E796D8
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4CC30	36_2_00007FF652E4CC30
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ECDBA4	36_2_00007FF652ECDBA4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBACE8	36_2_00007FF652EBACE8
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E729F4	36_2_00007FF652E729F4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EC29E0	36_2_00007FF652EC29E0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7A974	36_2_00007FF652E7A974
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBA014	36_2_00007FF652EBA014
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7B12C	36_2_00007FF652E7B12C
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E3E0F4	36_2_00007FF652E3E0F4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E71E34	36_2_00007FF652E71E34
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ED8F04	36_2_00007FF652ED8F04
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E54EF0	36_2_00007FF652E54EF0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4BEE4	36_2_00007FF652E4BEE4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9EE7C	36_2_00007FF652E9EE7C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17F33C	40_2_00007FF75A17F33C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176754	40_2_00007FF75A176754
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17C318	40_2_00007FF75A17C318
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A172720	40_2_00007FF75A172720
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A177720	40_2_00007FF75A177720
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176B7C	40_2_00007FF75A176B7C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B38C	40_2_00007FF75A16B38C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16E38C	40_2_00007FF75A16E38C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A164760	40_2_00007FF75A164760
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16F360	40_2_00007FF75A16F360
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16BB68	40_2_00007FF75A16BB68
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A178BCC	40_2_00007FF75A178BCC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17BBAC	40_2_00007FF75A17BBAC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18C3B4	40_2_00007FF75A18C3B4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1747A8	40_2_00007FF75A1747A8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17AC0C	40_2_00007FF75A17AC0C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B80C	40_2_00007FF75A16B80C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1707D8	40_2_00007FF75A1707D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16CBE4	40_2_00007FF75A16CBE4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1783E0	40_2_00007FF75A1783E0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D3E8	40_2_00007FF75A16D3E8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A169FE8	40_2_00007FF75A169FE8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1667F4	40_2_00007FF75A1667F4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B03C	40_2_00007FF75A16B03C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16E040	40_2_00007FF75A16E040
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17944C	40_2_00007FF75A17944C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18044C	40_2_00007FF75A18044C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176048	40_2_00007FF75A176048
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17D054	40_2_00007FF75A17D054
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A175C2C	40_2_00007FF75A175C2C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A174C80	40_2_00007FF75A174C80
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A070	40_2_00007FF75A17A070
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1744C4	40_2_00007FF75A1744C4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17F8CC	40_2_00007FF75A17F8CC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181CB0	40_2_00007FF75A181CB0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16ACFC	40_2_00007FF75A16ACFC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A171100	40_2_00007FF75A171100
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C908	40_2_00007FF75A16C908
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16DCE4	40_2_00007FF75A16DCE4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A173CE0	40_2_00007FF75A173CE0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16ECE8	40_2_00007FF75A16ECE8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A169D28	40_2_00007FF75A169D28
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181130	40_2_00007FF75A181130
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17ED88	40_2_00007FF75A17ED88
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A16C	40_2_00007FF75A17A16C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17C570	40_2_00007FF75A17C570
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A173570	40_2_00007FF75A173570
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C5B8	40_2_00007FF75A16C5B8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B5C0	40_2_00007FF75A16B5C0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1869A8	40_2_00007FF75A1869A8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17CDA8	40_2_00007FF75A17CDA8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1661FC	40_2_00007FF75A1661FC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A174208	40_2_00007FF75A174208
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17E5DC	40_2_00007FF75A17E5DC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1671D8	40_2_00007FF75A1671D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D9E4	40_2_00007FF75A16D9E4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16A9EC	40_2_00007FF75A16A9EC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1809E8	40_2_00007FF75A1809E8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1719F0	40_2_00007FF75A1719F0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16CE18	40_2_00007FF75A16CE18
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181688	40_2_00007FF75A181688
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C25C	40_2_00007FF75A16C25C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16A26C	40_2_00007FF75A16A26C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17BEB8	40_2_00007FF75A17BEB8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16BEC4	40_2_00007FF75A16BEC4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A6C8	40_2_00007FF75A17A6C8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1886D8	40_2_00007FF75A1886D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D6E4	40_2_00007FF75A16D6E4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A177EE0	40_2_00007FF75A177EE0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E35BC4 appears 55 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E33F1C appears 39 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E75CE8 appears 64 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E359E0 appears 153 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E393A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,

36_2_00007FF652E393A8

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,		1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,		1_2_000000014006A4B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652EB6CB0: DeviceIoControl,??_V@YAXPEAX@Z,CloseHandle,

36_2_00007FF652EB6CB0

Sample file is different than original file name gathered from version info

Source: as0Jkr7Dca.dll

Binary or memory string: OriginalFilenamekbdyj% vs as0Jkr7Dca.dll

PE file contains strange resources

Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: ACTIVEDS.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: SYSDM.CPL.5.dr	Static PE information: Number of sections : 46 > 10
Source: newdev.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: VERSION.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: as0Jkr7Dca.dll	Static PE information: Number of sections : 45 > 10
Source: XmlLite.dll.5.dr	Static PE information: Number of sections : 46 > 10

Source: as0Jkr7Dca.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newdev.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: as0Jkr7Dca.dll	Virustotal: Detection: 64%
Source: as0Jkr7Dca.dll	Metadefender: Detection: 62%
Source: as0Jkr7Dca.dll	ReversingLabs: Detection: 75%

Source: as0Jkr7Dca.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,	31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,	36_2_00007FF652E4943C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A186588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,	40_2_00007FF75A186588

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@39/11@0/0

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E32B88 CoInitializeEx,CoCreateInstance,CoUninitialize,

36_2_00007FF652E32B88

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B46418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,

31_2_00007FF6A7B46418

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B46418

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1b5f2cc3-8b30-2258-5bf8-ae9b32776bed}
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Mutant created: \Sessions\1\BaseNamedObjects\{04215796-eaf0-868f-5418-ce74fc100d33}

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B46E1C LoadResource,LockResource,FreeResource,FindResourceA,FreeResource,

31_2_00007FF6A7B46E1C

Source: as0Jkr7Dca.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: as0Jkr7Dca.dll

Static file information: File size 1839104 > 1048576

Source: as0Jkr7Dca.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret	1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E784C0 push rsp; retf	36_2_00007FF652E784C1
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7FF70 pushfq ; retf	36_2_00007FF652E7FF71

PE file contains sections with non-standard names

Source: as0Jkr7Dca.dll	Static PE information: section name: .qkm
Source: as0Jkr7Dca.dll	Static PE information: section name: .cvjb
Source: as0Jkr7Dca.dll	Static PE information: section name: .tlmkv
Source: as0Jkr7Dca.dll	Static PE information: section name: .wucsxe
Source: as0Jkr7Dca.dll	Static PE information: section name: .fltwtj
Source: as0Jkr7Dca.dll	Static PE information: section name: .sfplio
Source: as0Jkr7Dca.dll	Static PE information: section name: .rpg
Source: as0Jkr7Dca.dll	Static PE information: section name: .bewzc
Source: as0Jkr7Dca.dll	Static PE information: section name: .vksvaw
Source: as0Jkr7Dca.dll	Static PE information: section name: .wmhg
Source: as0Jkr7Dca.dll	Static PE information: section name: .kswemc
Source: as0Jkr7Dca.dll	Static PE information: section name: .kaxfk
Source: as0Jkr7Dca.dll	Static PE information: section name: .pjf
Source: as0Jkr7Dca.dll	Static PE information: section name: .retjqj
Source: as0Jkr7Dca.dll	Static PE information: section name: .mizn
Source: as0Jkr7Dca.dll	Static PE information: section name: .rsrub
Source: as0Jkr7Dca.dll	Static PE information: section name: .fhgxfk
Source: as0Jkr7Dca.dll	Static PE information: section name: .wqpbrq
Source: as0Jkr7Dca.dll	Static PE information: section name: .xlhbgj
Source: as0Jkr7Dca.dll	Static PE information: section name: .rzgl
Source: as0Jkr7Dca.dll	Static PE information: section name: .yic
Source: as0Jkr7Dca.dll	Static PE information: section name: .zfmbo
Source: as0Jkr7Dca.dll	Static PE information: section name: .zlvv
Source: as0Jkr7Dca.dll	Static PE information: section name: .cxtrm
Source: as0Jkr7Dca.dll	Static PE information: section name: .ulxwjx
Source: as0Jkr7Dca.dll	Static PE information: section name: .dhdaub
Source: as0Jkr7Dca.dll	Static PE information: section name: .mwbsl
Source: as0Jkr7Dca.dll	Static PE information: section name: .tnjoaa
Source: as0Jkr7Dca.dll	Static PE information: section name: .xbwa
Source: as0Jkr7Dca.dll	Static PE information: section name: .ahxqcx
Source: as0Jkr7Dca.dll	Static PE information: section name: .prqysb
Source: as0Jkr7Dca.dll	Static PE information: section name: .piajju
Source: as0Jkr7Dca.dll	Static PE information: section name: .ncu
Source: as0Jkr7Dca.dll	Static PE information: section name: .pmgfro
Source: as0Jkr7Dca.dll	Static PE information: section name: .xjbky
Source: as0Jkr7Dca.dll	Static PE information: section name: .iypg
Source: as0Jkr7Dca.dll	Static PE information: section name: .icnjt
Source: as0Jkr7Dca.dll	Static PE information: section name: .ayz
Source: as0Jkr7Dca.dll	Static PE information: section name: .jirq
Source: MusNotificationUx.exe.5.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.5.dr	Static PE information: section name: .didat
Source: SYSDM.CPL.5.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fhgxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wqpbrq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xlhbgj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rzgl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yic
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zfmbo
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zlvv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cxtrm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ulxwjx
Source: SYSDM.CPL.5.dr	Static PE information: section name: .dhdaub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mwbsl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tnjoaa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xbwa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ahxqcx
Source: SYSDM.CPL.5.dr	Static PE information: section name: .prqysb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .piajju
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ncu
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pmgfro
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xjbky
Source: SYSDM.CPL.5.dr	Static PE information: section name: .iypg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .icnjt
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ayz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .jirq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xfw
Source: VERSION.dll.5.dr	Static PE information: section name: .qkm
Source: VERSION.dll.5.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr	Static PE information: section name: .rpg
Source: VERSION.dll.5.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .pjf
Source: VERSION.dll.5.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.5.dr	Static PE information: section name: .mizn
Source: VERSION.dll.5.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.5.dr	Static PE information: section name: .fhgxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .wqpbrq
Source: VERSION.dll.5.dr	Static PE information: section name: .xlhbgj
Source: VERSION.dll.5.dr	Static PE information: section name: .rzgl
Source: VERSION.dll.5.dr	Static PE information: section name: .yic
Source: VERSION.dll.5.dr	Static PE information: section name: .zfmbo
Source: VERSION.dll.5.dr	Static PE information: section name: .zlvv
Source: VERSION.dll.5.dr	Static PE information: section name: .cxtrm
Source: VERSION.dll.5.dr	Static PE information: section name: .ulxwjx
Source: VERSION.dll.5.dr	Static PE information: section name: .dhdaub
Source: VERSION.dll.5.dr	Static PE information: section name: .mwbsl
Source: VERSION.dll.5.dr	Static PE information: section name: .tnjoaa
Source: VERSION.dll.5.dr	Static PE information: section name: .xbwa
Source: VERSION.dll.5.dr	Static PE information: section name: .ahxqcx
Source: VERSION.dll.5.dr	Static PE information: section name: .prqysb
Source: VERSION.dll.5.dr	Static PE information: section name: .piajju
Source: VERSION.dll.5.dr	Static PE information: section name: .ncu
Source: VERSION.dll.5.dr	Static PE information: section name: .pmgfro
Source: VERSION.dll.5.dr	Static PE information: section name: .xjbky
Source: VERSION.dll.5.dr	Static PE information: section name: .iypg
Source: VERSION.dll.5.dr	Static PE information: section name: .icnjt
Source: VERSION.dll.5.dr	Static PE information: section name: .ayz
Source: VERSION.dll.5.dr	Static PE information: section name: .jirq
Source: VERSION.dll.5.dr	Static PE information: section name: .oygkua
Source: newdev.dll.5.dr	Static PE information: section name: .qkm
Source: newdev.dll.5.dr	Static PE information: section name: .cvjb
Source: newdev.dll.5.dr	Static PE information: section name: .tlmkv
Source: newdev.dll.5.dr	Static PE information: section name: .wucsxe
Source: newdev.dll.5.dr	Static PE information: section name: .fltwtj
Source: newdev.dll.5.dr	Static PE information: section name: .sfplio
Source: newdev.dll.5.dr	Static PE information: section name: .rpg
Source: newdev.dll.5.dr	Static PE information: section name: .bewzc
Source: newdev.dll.5.dr	Static PE information: section name: .vksvaw
Source: newdev.dll.5.dr	Static PE information: section name: .wmhg
Source: newdev.dll.5.dr	Static PE information: section name: .kswemc
Source: newdev.dll.5.dr	Static PE information: section name: .kaxfk
Source: newdev.dll.5.dr	Static PE information: section name: .pjf
Source: newdev.dll.5.dr	Static PE information: section name: .retjqj
Source: newdev.dll.5.dr	Static PE information: section name: .mizn
Source: newdev.dll.5.dr	Static PE information: section name: .rsrub
Source: newdev.dll.5.dr	Static PE information: section name: .fhgxfk
Source: newdev.dll.5.dr	Static PE information: section name: .wqpbrq
Source: newdev.dll.5.dr	Static PE information: section name: .xlhbgj
Source: newdev.dll.5.dr	Static PE information: section name: .rzgl
Source: newdev.dll.5.dr	Static PE information: section name: .yic
Source: newdev.dll.5.dr	Static PE information: section name: .zfmbo
Source: newdev.dll.5.dr	Static PE information: section name: .zlvv
Source: newdev.dll.5.dr	Static PE information: section name: .cxtrm
Source: newdev.dll.5.dr	Static PE information: section name: .ulxwjx
Source: newdev.dll.5.dr	Static PE information: section name: .dhdaub
Source: newdev.dll.5.dr	Static PE information: section name: .mwbsl
Source: newdev.dll.5.dr	Static PE information: section name: .tnjoaa
Source: newdev.dll.5.dr	Static PE information: section name: .xbwa
Source: newdev.dll.5.dr	Static PE information: section name: .ahxqcx
Source: newdev.dll.5.dr	Static PE information: section name: .prqysb
Source: newdev.dll.5.dr	Static PE information: section name: .piajju
Source: newdev.dll.5.dr	Static PE information: section name: .ncu
Source: newdev.dll.5.dr	Static PE information: section name: .pmgfro
Source: newdev.dll.5.dr	Static PE information: section name: .xjbky
Source: newdev.dll.5.dr	Static PE information: section name: .iypg
Source: newdev.dll.5.dr	Static PE information: section name: .icnjt
Source: newdev.dll.5.dr	Static PE information: section name: .ayz
Source: newdev.dll.5.dr	Static PE information: section name: .jirq
Source: newdev.dll.5.dr	Static PE information: section name: .tevex
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .qkm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rpg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pjf
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .retjqj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .mizn
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rsrub
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fhgxfk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wqpbrq
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xlhbgj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rzgl
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .yic
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .zfmbo
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .zlvv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .cxtrm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ulxwjx
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .dhdaub
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .mwbsl
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .tnjoaa
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xbwa
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ahxqcx
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .prqysb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .piajju
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ncu
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pmgfro
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xjbky
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .iypg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .icnjt
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ayz
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .jirq
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wkpwg
Source: XmlLite.dll.5.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.5.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.5.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.5.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.5.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.5.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.5.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.5.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.5.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.5.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.5.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.5.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.5.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.5.dr	Static PE information: section name: .retjqj
Source: XmlLite.dll.5.dr	Static PE information: section name: .mizn
Source: XmlLite.dll.5.dr	Static PE information: section name: .rsrub
Source: XmlLite.dll.5.dr	Static PE information: section name: .fhgxfk
Source: XmlLite.dll.5.dr	Static PE information: section name: .wqpbrq
Source: XmlLite.dll.5.dr	Static PE information: section name: .xlhbgj
Source: XmlLite.dll.5.dr	Static PE information: section name: .rzgl
Source: XmlLite.dll.5.dr	Static PE information: section name: .yic
Source: XmlLite.dll.5.dr	Static PE information: section name: .zfmbo
Source: XmlLite.dll.5.dr	Static PE information: section name: .zlvv
Source: XmlLite.dll.5.dr	Static PE information: section name: .cxtrm
Source: XmlLite.dll.5.dr	Static PE information: section name: .ulxwjx
Source: XmlLite.dll.5.dr	Static PE information: section name: .dhdaub
Source: XmlLite.dll.5.dr	Static PE information: section name: .mwbsl
Source: XmlLite.dll.5.dr	Static PE information: section name: .tnjoaa
Source: XmlLite.dll.5.dr	Static PE information: section name: .xbwa
Source: XmlLite.dll.5.dr	Static PE information: section name: .ahxqcx
Source: XmlLite.dll.5.dr	Static PE information: section name: .prqysb
Source: XmlLite.dll.5.dr	Static PE information: section name: .piajju
Source: XmlLite.dll.5.dr	Static PE information: section name: .ncu
Source: XmlLite.dll.5.dr	Static PE information: section name: .pmgfro
Source: XmlLite.dll.5.dr	Static PE information: section name: .xjbky
Source: XmlLite.dll.5.dr	Static PE information: section name: .iypg
Source: XmlLite.dll.5.dr	Static PE information: section name: .icnjt
Source: XmlLite.dll.5.dr	Static PE information: section name: .ayz
Source: XmlLite.dll.5.dr	Static PE information: section name: .jirq
Source: XmlLite.dll.5.dr	Static PE information: section name: .hmh

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B41C00 memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

31_2_00007FF6A7B41C00

PE file contains an invalid checksum

Source: ACTIVEDS.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c222a
Source: SYSDM.CPL.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c6d7c
Source: newdev.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1d0fc6
Source: VERSION.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1cf964
Source: as0Jkr7Dca.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1c70c8
Source: XmlLite.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c2161

Binary contains a suspicious time stamp

Source: SystemPropertiesPerformance.exe.5.dr

Static PE information: 0xF80C9430 [Wed Nov 16 08:45:36 2101 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\93S1H\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Jump to dropped file

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B415C8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

31_2_00007FF6A7B415C8

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A16F360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF75A16F436h

40_2_00007FF75A16F360

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E54EF0 rdtsc

36_2_00007FF652E54EF0

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	31_2_00007FF6A7B41EC0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	40_2_00007FF75A18A104

Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.235243024.000000000F640000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.281383823.00000000088BF000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.230973152.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.257547400.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.281150556.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.276454121.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.231428281.00000000089DC000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATAT

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A1628E8 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

40_2_00007FF75A1628E8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E32EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError,

36_2_00007FF652E32EF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B41C00

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E5F7F0 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetFileVersionInfoSizeW,GetLastError,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,HeapFree,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,

36_2_00007FF652E5F7F0

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E54EF0 rdtsc

36_2_00007FF652E54EF0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Code function: 24_2_00007FF7497F16E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7497F16E4
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Code function: 24_2_00007FF7497F1460 SetUnhandledExceptionFilter,	24_2_00007FF7497F1460
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B47A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF6A7B47A80
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B47D70 SetUnhandledExceptionFilter,	31_2_00007FF6A7B47D70
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51810 SetUnhandledExceptionFilter,	33_2_00007FF675B51810
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00007FF675B51AA4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EE0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF652EE0304
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A184768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00007FF75A184768
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A184AC0 SetUnhandledExceptionFilter,	40_2_00007FF75A184AC0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: SYSDM.CPL.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB70FD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B412A0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

31_2_00007FF6A7B412A0

Source: explorer.exe, 00000005.00000000.271790848.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.278081643.0000000006860000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe

Code function: 24_2_00007FF7497F15F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

24_2_00007FF7497F15F0

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B47510 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CharNextA,

31_2_00007FF6A7B47510

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: as0Jkr7Dca.dll	Virustotal: Detection: 64%	Perma Link
Source: as0Jkr7Dca.dll	Metadefender: Detection: 62%	Perma Link
Source: as0Jkr7Dca.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: as0Jkr7Dca.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: as0Jkr7Dca.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A188290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,

40_2_00007FF75A188290

Source: as0Jkr7Dca.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	31_2_00007FF6A7B41EC0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	40_2_00007FF75A18A104

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000001F.00000002.393975401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.222388463.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.245117610.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.451790236.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.477912274.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.227069993.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.362477458.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.236556937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.420737755.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.334750401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.257049994.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266033860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.259716676.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B4297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		31_2_00007FF6A7B4297C

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870	1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270	1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0	1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340	1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80	1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0	1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0	1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0	1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40	1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0	1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30	1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010	1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010	1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020	1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840	1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850	1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080	1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880	1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0	1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0	1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0	1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100	1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100	1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110	1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910	1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120	1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120	1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940	1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140	1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140	1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950	1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170	1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980	1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0	1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0	1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0	1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0	1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0	1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0	1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00	1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00	1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220	1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40	1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50	1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60	1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0	1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0	1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00	1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300	1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20	1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340	1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340	1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40	1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40	1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60	1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370	1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80	1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390	1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0	1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0	1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0	1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0	1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0	1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0	1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0	1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B	1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424	1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D	1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436	1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D	1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440	1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40	1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446	1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490	1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00	1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520	1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20	1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530	1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530	1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540	1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540	1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50	1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570	1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580	1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0	1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0	1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0	1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0	1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0	1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0	1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0	1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620	1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630	1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650	1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80	1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80	1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0	1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0	1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0	1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0	1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0	1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0	1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0	1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20	1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730	1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780	1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80	1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0	1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0	1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0	1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0	1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41C00	31_2_00007FF6A7B41C00
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B43310	31_2_00007FF6A7B43310
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10	31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B46418	31_2_00007FF6A7B46418
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B457D0	31_2_00007FF6A7B457D0
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B45E98	31_2_00007FF6A7B45E98
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B42AB4	31_2_00007FF6A7B42AB4
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B43D64	31_2_00007FF6A7B43D64
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51078	33_2_00007FF675B51078
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E68500	36_2_00007FF652E68500
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E354E0	36_2_00007FF652E354E0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E664D0	36_2_00007FF652E664D0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E404AC	36_2_00007FF652E404AC
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E80498	36_2_00007FF652E80498
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBA450	36_2_00007FF652EBA450
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4E444	36_2_00007FF652E4E444
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E86158	36_2_00007FF652E86158
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E8115E	36_2_00007FF652E8115E
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9C278	36_2_00007FF652E9C278
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ECE834	36_2_00007FF652ECE834
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4858C	36_2_00007FF652E4858C
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E67580	36_2_00007FF652E67580
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9D6FC	36_2_00007FF652E9D6FC
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E796D8	36_2_00007FF652E796D8
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4CC30	36_2_00007FF652E4CC30
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ECDBA4	36_2_00007FF652ECDBA4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBACE8	36_2_00007FF652EBACE8
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E729F4	36_2_00007FF652E729F4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EC29E0	36_2_00007FF652EC29E0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7A974	36_2_00007FF652E7A974
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EBA014	36_2_00007FF652EBA014
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7B12C	36_2_00007FF652E7B12C
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E3E0F4	36_2_00007FF652E3E0F4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E71E34	36_2_00007FF652E71E34
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652ED8F04	36_2_00007FF652ED8F04
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E54EF0	36_2_00007FF652E54EF0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4BEE4	36_2_00007FF652E4BEE4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E9EE7C	36_2_00007FF652E9EE7C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17F33C	40_2_00007FF75A17F33C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176754	40_2_00007FF75A176754
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17C318	40_2_00007FF75A17C318
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A172720	40_2_00007FF75A172720
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A177720	40_2_00007FF75A177720
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176B7C	40_2_00007FF75A176B7C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B38C	40_2_00007FF75A16B38C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16E38C	40_2_00007FF75A16E38C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A164760	40_2_00007FF75A164760
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16F360	40_2_00007FF75A16F360
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16BB68	40_2_00007FF75A16BB68
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A178BCC	40_2_00007FF75A178BCC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17BBAC	40_2_00007FF75A17BBAC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18C3B4	40_2_00007FF75A18C3B4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1747A8	40_2_00007FF75A1747A8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17AC0C	40_2_00007FF75A17AC0C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B80C	40_2_00007FF75A16B80C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1707D8	40_2_00007FF75A1707D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16CBE4	40_2_00007FF75A16CBE4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1783E0	40_2_00007FF75A1783E0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D3E8	40_2_00007FF75A16D3E8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A169FE8	40_2_00007FF75A169FE8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1667F4	40_2_00007FF75A1667F4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B03C	40_2_00007FF75A16B03C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16E040	40_2_00007FF75A16E040
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17944C	40_2_00007FF75A17944C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18044C	40_2_00007FF75A18044C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A176048	40_2_00007FF75A176048
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17D054	40_2_00007FF75A17D054
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A175C2C	40_2_00007FF75A175C2C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A174C80	40_2_00007FF75A174C80
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A070	40_2_00007FF75A17A070
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1744C4	40_2_00007FF75A1744C4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17F8CC	40_2_00007FF75A17F8CC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181CB0	40_2_00007FF75A181CB0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16ACFC	40_2_00007FF75A16ACFC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A171100	40_2_00007FF75A171100
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C908	40_2_00007FF75A16C908
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16DCE4	40_2_00007FF75A16DCE4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A173CE0	40_2_00007FF75A173CE0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16ECE8	40_2_00007FF75A16ECE8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A169D28	40_2_00007FF75A169D28
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181130	40_2_00007FF75A181130
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17ED88	40_2_00007FF75A17ED88
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A16C	40_2_00007FF75A17A16C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17C570	40_2_00007FF75A17C570
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A173570	40_2_00007FF75A173570
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C5B8	40_2_00007FF75A16C5B8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16B5C0	40_2_00007FF75A16B5C0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1869A8	40_2_00007FF75A1869A8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17CDA8	40_2_00007FF75A17CDA8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1661FC	40_2_00007FF75A1661FC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A174208	40_2_00007FF75A174208
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17E5DC	40_2_00007FF75A17E5DC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1671D8	40_2_00007FF75A1671D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D9E4	40_2_00007FF75A16D9E4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16A9EC	40_2_00007FF75A16A9EC
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1809E8	40_2_00007FF75A1809E8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1719F0	40_2_00007FF75A1719F0
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16CE18	40_2_00007FF75A16CE18
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A181688	40_2_00007FF75A181688
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16C25C	40_2_00007FF75A16C25C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16A26C	40_2_00007FF75A16A26C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17BEB8	40_2_00007FF75A17BEB8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16BEC4	40_2_00007FF75A16BEC4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A17A6C8	40_2_00007FF75A17A6C8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A1886D8	40_2_00007FF75A1886D8
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A16D6E4	40_2_00007FF75A16D6E4
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A177EE0	40_2_00007FF75A177EE0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E35BC4 appears 55 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E33F1C appears 39 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E75CE8 appears 64 times
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: String function: 00007FF652E359E0 appears 153 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

36_2_00007FF652E393A8

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,		1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,		1_2_000000014006A4B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652EB6CB0: DeviceIoControl,??_V@YAXPEAX@Z,CloseHandle,

36_2_00007FF652EB6CB0

Sample file is different than original file name gathered from version info

Source: as0Jkr7Dca.dll

Binary or memory string: OriginalFilenamekbdyj% vs as0Jkr7Dca.dll

PE file contains strange resources

Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: ACTIVEDS.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: SYSDM.CPL.5.dr	Static PE information: Number of sections : 46 > 10
Source: newdev.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: VERSION.dll.5.dr	Static PE information: Number of sections : 46 > 10
Source: as0Jkr7Dca.dll	Static PE information: Number of sections : 45 > 10
Source: XmlLite.dll.5.dr	Static PE information: Number of sections : 46 > 10

Source: as0Jkr7Dca.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newdev.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: as0Jkr7Dca.dll	Virustotal: Detection: 64%
Source: as0Jkr7Dca.dll	Metadefender: Detection: 62%
Source: as0Jkr7Dca.dll	ReversingLabs: Detection: 75%

Source: as0Jkr7Dca.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,	31_2_00007FF6A7B41B10
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E4943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,	36_2_00007FF652E4943C
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A186588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,	40_2_00007FF75A186588

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@39/11@0/0

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E32B88 CoInitializeEx,CoCreateInstance,CoUninitialize,

36_2_00007FF652E32B88

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B46418

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B46418

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1b5f2cc3-8b30-2258-5bf8-ae9b32776bed}
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Mutant created: \Sessions\1\BaseNamedObjects\{04215796-eaf0-868f-5418-ce74fc100d33}

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B46E1C LoadResource,LockResource,FreeResource,FindResourceA,FreeResource,

31_2_00007FF6A7B46E1C

Source: as0Jkr7Dca.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: as0Jkr7Dca.dll

Static file information: File size 1839104 > 1048576

Source: as0Jkr7Dca.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret	1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E784C0 push rsp; retf	36_2_00007FF652E784C1
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E7FF70 pushfq ; retf	36_2_00007FF652E7FF71

PE file contains sections with non-standard names

Source: as0Jkr7Dca.dll	Static PE information: section name: .qkm
Source: as0Jkr7Dca.dll	Static PE information: section name: .cvjb
Source: as0Jkr7Dca.dll	Static PE information: section name: .tlmkv
Source: as0Jkr7Dca.dll	Static PE information: section name: .wucsxe
Source: as0Jkr7Dca.dll	Static PE information: section name: .fltwtj
Source: as0Jkr7Dca.dll	Static PE information: section name: .sfplio
Source: as0Jkr7Dca.dll	Static PE information: section name: .rpg
Source: as0Jkr7Dca.dll	Static PE information: section name: .bewzc
Source: as0Jkr7Dca.dll	Static PE information: section name: .vksvaw
Source: as0Jkr7Dca.dll	Static PE information: section name: .wmhg
Source: as0Jkr7Dca.dll	Static PE information: section name: .kswemc
Source: as0Jkr7Dca.dll	Static PE information: section name: .kaxfk
Source: as0Jkr7Dca.dll	Static PE information: section name: .pjf
Source: as0Jkr7Dca.dll	Static PE information: section name: .retjqj
Source: as0Jkr7Dca.dll	Static PE information: section name: .mizn
Source: as0Jkr7Dca.dll	Static PE information: section name: .rsrub
Source: as0Jkr7Dca.dll	Static PE information: section name: .fhgxfk
Source: as0Jkr7Dca.dll	Static PE information: section name: .wqpbrq
Source: as0Jkr7Dca.dll	Static PE information: section name: .xlhbgj
Source: as0Jkr7Dca.dll	Static PE information: section name: .rzgl
Source: as0Jkr7Dca.dll	Static PE information: section name: .yic
Source: as0Jkr7Dca.dll	Static PE information: section name: .zfmbo
Source: as0Jkr7Dca.dll	Static PE information: section name: .zlvv
Source: as0Jkr7Dca.dll	Static PE information: section name: .cxtrm
Source: as0Jkr7Dca.dll	Static PE information: section name: .ulxwjx
Source: as0Jkr7Dca.dll	Static PE information: section name: .dhdaub
Source: as0Jkr7Dca.dll	Static PE information: section name: .mwbsl
Source: as0Jkr7Dca.dll	Static PE information: section name: .tnjoaa
Source: as0Jkr7Dca.dll	Static PE information: section name: .xbwa
Source: as0Jkr7Dca.dll	Static PE information: section name: .ahxqcx
Source: as0Jkr7Dca.dll	Static PE information: section name: .prqysb
Source: as0Jkr7Dca.dll	Static PE information: section name: .piajju
Source: as0Jkr7Dca.dll	Static PE information: section name: .ncu
Source: as0Jkr7Dca.dll	Static PE information: section name: .pmgfro
Source: as0Jkr7Dca.dll	Static PE information: section name: .xjbky
Source: as0Jkr7Dca.dll	Static PE information: section name: .iypg
Source: as0Jkr7Dca.dll	Static PE information: section name: .icnjt
Source: as0Jkr7Dca.dll	Static PE information: section name: .ayz
Source: as0Jkr7Dca.dll	Static PE information: section name: .jirq
Source: MusNotificationUx.exe.5.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.5.dr	Static PE information: section name: .didat
Source: SYSDM.CPL.5.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fhgxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wqpbrq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xlhbgj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rzgl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yic
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zfmbo
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zlvv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cxtrm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ulxwjx
Source: SYSDM.CPL.5.dr	Static PE information: section name: .dhdaub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mwbsl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tnjoaa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xbwa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ahxqcx
Source: SYSDM.CPL.5.dr	Static PE information: section name: .prqysb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .piajju
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ncu
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pmgfro
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xjbky
Source: SYSDM.CPL.5.dr	Static PE information: section name: .iypg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .icnjt
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ayz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .jirq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xfw
Source: VERSION.dll.5.dr	Static PE information: section name: .qkm
Source: VERSION.dll.5.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr	Static PE information: section name: .rpg
Source: VERSION.dll.5.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .pjf
Source: VERSION.dll.5.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.5.dr	Static PE information: section name: .mizn
Source: VERSION.dll.5.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.5.dr	Static PE information: section name: .fhgxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .wqpbrq
Source: VERSION.dll.5.dr	Static PE information: section name: .xlhbgj
Source: VERSION.dll.5.dr	Static PE information: section name: .rzgl
Source: VERSION.dll.5.dr	Static PE information: section name: .yic
Source: VERSION.dll.5.dr	Static PE information: section name: .zfmbo
Source: VERSION.dll.5.dr	Static PE information: section name: .zlvv
Source: VERSION.dll.5.dr	Static PE information: section name: .cxtrm
Source: VERSION.dll.5.dr	Static PE information: section name: .ulxwjx
Source: VERSION.dll.5.dr	Static PE information: section name: .dhdaub
Source: VERSION.dll.5.dr	Static PE information: section name: .mwbsl
Source: VERSION.dll.5.dr	Static PE information: section name: .tnjoaa
Source: VERSION.dll.5.dr	Static PE information: section name: .xbwa
Source: VERSION.dll.5.dr	Static PE information: section name: .ahxqcx
Source: VERSION.dll.5.dr	Static PE information: section name: .prqysb
Source: VERSION.dll.5.dr	Static PE information: section name: .piajju
Source: VERSION.dll.5.dr	Static PE information: section name: .ncu
Source: VERSION.dll.5.dr	Static PE information: section name: .pmgfro
Source: VERSION.dll.5.dr	Static PE information: section name: .xjbky
Source: VERSION.dll.5.dr	Static PE information: section name: .iypg
Source: VERSION.dll.5.dr	Static PE information: section name: .icnjt
Source: VERSION.dll.5.dr	Static PE information: section name: .ayz
Source: VERSION.dll.5.dr	Static PE information: section name: .jirq
Source: VERSION.dll.5.dr	Static PE information: section name: .oygkua
Source: newdev.dll.5.dr	Static PE information: section name: .qkm
Source: newdev.dll.5.dr	Static PE information: section name: .cvjb
Source: newdev.dll.5.dr	Static PE information: section name: .tlmkv
Source: newdev.dll.5.dr	Static PE information: section name: .wucsxe
Source: newdev.dll.5.dr	Static PE information: section name: .fltwtj
Source: newdev.dll.5.dr	Static PE information: section name: .sfplio
Source: newdev.dll.5.dr	Static PE information: section name: .rpg
Source: newdev.dll.5.dr	Static PE information: section name: .bewzc
Source: newdev.dll.5.dr	Static PE information: section name: .vksvaw
Source: newdev.dll.5.dr	Static PE information: section name: .wmhg
Source: newdev.dll.5.dr	Static PE information: section name: .kswemc
Source: newdev.dll.5.dr	Static PE information: section name: .kaxfk
Source: newdev.dll.5.dr	Static PE information: section name: .pjf
Source: newdev.dll.5.dr	Static PE information: section name: .retjqj
Source: newdev.dll.5.dr	Static PE information: section name: .mizn
Source: newdev.dll.5.dr	Static PE information: section name: .rsrub
Source: newdev.dll.5.dr	Static PE information: section name: .fhgxfk
Source: newdev.dll.5.dr	Static PE information: section name: .wqpbrq
Source: newdev.dll.5.dr	Static PE information: section name: .xlhbgj
Source: newdev.dll.5.dr	Static PE information: section name: .rzgl
Source: newdev.dll.5.dr	Static PE information: section name: .yic
Source: newdev.dll.5.dr	Static PE information: section name: .zfmbo
Source: newdev.dll.5.dr	Static PE information: section name: .zlvv
Source: newdev.dll.5.dr	Static PE information: section name: .cxtrm
Source: newdev.dll.5.dr	Static PE information: section name: .ulxwjx
Source: newdev.dll.5.dr	Static PE information: section name: .dhdaub
Source: newdev.dll.5.dr	Static PE information: section name: .mwbsl
Source: newdev.dll.5.dr	Static PE information: section name: .tnjoaa
Source: newdev.dll.5.dr	Static PE information: section name: .xbwa
Source: newdev.dll.5.dr	Static PE information: section name: .ahxqcx
Source: newdev.dll.5.dr	Static PE information: section name: .prqysb
Source: newdev.dll.5.dr	Static PE information: section name: .piajju
Source: newdev.dll.5.dr	Static PE information: section name: .ncu
Source: newdev.dll.5.dr	Static PE information: section name: .pmgfro
Source: newdev.dll.5.dr	Static PE information: section name: .xjbky
Source: newdev.dll.5.dr	Static PE information: section name: .iypg
Source: newdev.dll.5.dr	Static PE information: section name: .icnjt
Source: newdev.dll.5.dr	Static PE information: section name: .ayz
Source: newdev.dll.5.dr	Static PE information: section name: .jirq
Source: newdev.dll.5.dr	Static PE information: section name: .tevex
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .qkm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rpg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pjf
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .retjqj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .mizn
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rsrub
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fhgxfk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wqpbrq
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xlhbgj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rzgl
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .yic
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .zfmbo
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .zlvv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .cxtrm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ulxwjx
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .dhdaub
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .mwbsl
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .tnjoaa
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xbwa
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ahxqcx
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .prqysb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .piajju
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ncu
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pmgfro
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .xjbky
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .iypg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .icnjt
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ayz
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .jirq
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wkpwg
Source: XmlLite.dll.5.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.5.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.5.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.5.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.5.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.5.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.5.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.5.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.5.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.5.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.5.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.5.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.5.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.5.dr	Static PE information: section name: .retjqj
Source: XmlLite.dll.5.dr	Static PE information: section name: .mizn
Source: XmlLite.dll.5.dr	Static PE information: section name: .rsrub
Source: XmlLite.dll.5.dr	Static PE information: section name: .fhgxfk
Source: XmlLite.dll.5.dr	Static PE information: section name: .wqpbrq
Source: XmlLite.dll.5.dr	Static PE information: section name: .xlhbgj
Source: XmlLite.dll.5.dr	Static PE information: section name: .rzgl
Source: XmlLite.dll.5.dr	Static PE information: section name: .yic
Source: XmlLite.dll.5.dr	Static PE information: section name: .zfmbo
Source: XmlLite.dll.5.dr	Static PE information: section name: .zlvv
Source: XmlLite.dll.5.dr	Static PE information: section name: .cxtrm
Source: XmlLite.dll.5.dr	Static PE information: section name: .ulxwjx
Source: XmlLite.dll.5.dr	Static PE information: section name: .dhdaub
Source: XmlLite.dll.5.dr	Static PE information: section name: .mwbsl
Source: XmlLite.dll.5.dr	Static PE information: section name: .tnjoaa
Source: XmlLite.dll.5.dr	Static PE information: section name: .xbwa
Source: XmlLite.dll.5.dr	Static PE information: section name: .ahxqcx
Source: XmlLite.dll.5.dr	Static PE information: section name: .prqysb
Source: XmlLite.dll.5.dr	Static PE information: section name: .piajju
Source: XmlLite.dll.5.dr	Static PE information: section name: .ncu
Source: XmlLite.dll.5.dr	Static PE information: section name: .pmgfro
Source: XmlLite.dll.5.dr	Static PE information: section name: .xjbky
Source: XmlLite.dll.5.dr	Static PE information: section name: .iypg
Source: XmlLite.dll.5.dr	Static PE information: section name: .icnjt
Source: XmlLite.dll.5.dr	Static PE information: section name: .ayz
Source: XmlLite.dll.5.dr	Static PE information: section name: .jirq
Source: XmlLite.dll.5.dr	Static PE information: section name: .hmh

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B41C00

PE file contains an invalid checksum

Source: ACTIVEDS.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c222a
Source: SYSDM.CPL.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c6d7c
Source: newdev.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1d0fc6
Source: VERSION.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1cf964
Source: as0Jkr7Dca.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1c70c8
Source: XmlLite.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c2161

Binary contains a suspicious time stamp

Source: SystemPropertiesPerformance.exe.5.dr

Static PE information: 0xF80C9430 [Wed Nov 16 08:45:36 2101 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\93S1H\wextract.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\93S1H\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zBhEpi\newdev.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	Jump to dropped file

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B415C8

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,

36_2_00007FF652E3345C

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A16F360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF75A16F436h

40_2_00007FF75A16F360

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E54EF0 rdtsc

36_2_00007FF652E54EF0

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,	1_2_000000014005D290
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	31_2_00007FF6A7B41EC0
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	36_2_00007FF652E69110
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	40_2_00007FF75A18A104

Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.235243024.000000000F640000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.281383823.00000000088BF000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.230973152.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.257547400.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.281150556.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.276454121.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.231428281.00000000089DC000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATAT

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe

Code function: 40_2_00007FF75A1628E8 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

40_2_00007FF75A1628E8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E32EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError,

36_2_00007FF652E32EF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B41C00

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

36_2_00007FF652E5F7F0

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe

Code function: 36_2_00007FF652E54EF0 rdtsc

36_2_00007FF652E54EF0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Code function: 24_2_00007FF7497F16E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7497F16E4
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Code function: 24_2_00007FF7497F1460 SetUnhandledExceptionFilter,	24_2_00007FF7497F1460
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B47A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF6A7B47A80
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Code function: 31_2_00007FF6A7B47D70 SetUnhandledExceptionFilter,	31_2_00007FF6A7B47D70
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51810 SetUnhandledExceptionFilter,	33_2_00007FF675B51810
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Code function: 33_2_00007FF675B51AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00007FF675B51AA4
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Code function: 36_2_00007FF652EE0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF652EE0304
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A184768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00007FF75A184768
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Code function: 40_2_00007FF75A184AC0 SetUnhandledExceptionFilter,	40_2_00007FF75A184AC0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: SYSDM.CPL.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB7377E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFB70FD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

31_2_00007FF6A7B412A0

Source: explorer.exe, 00000005.00000000.271790848.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.278081643.0000000006860000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\93S1H\wextract.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe

Code function: 24_2_00007FF7497F15F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

24_2_00007FF7497F15F0

Source: C:\Users\user\AppData\Local\93S1H\wextract.exe

Code function: 31_2_00007FF6A7B47510 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CharNextA,

31_2_00007FF6A7B47510

ID:	483806
Product:	CloudBasic
Start time:	14:10:04
Start date:	15.09.2021
Sample:	as0Jkr7Dca
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3839da365172e8011da03c3ef023c33c
SHA1:	060aaed3fe83b9333dbd19ac22471cc8ded3c9f8
SHA256:	2356048d0182a32df2892b64db99f58634681c33cb0104a3ad3b62510a534454
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\93S1H\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	231DCA713E3AF5B9FF59A8C6EA0A6D3D	534257B06D51F76AB94E7D8A9F450ECC526704AF	8E2140CA0EE76F82C3A975A2E25542C58A47AD30F0497B241D5B5FF5347973AB
C:\Users\user\AppData\Local\93S1H\wextract.exe	PE32+ executable (GUI) x86-64, for MS Windows	ED93B350C8EEFC442758A00BC3EEDE2D	ADD14417939801C555BBBFFAF7388BD13DE2DE42	ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPL	PE32+ executable (DLL) (console) x86-64, for MS Windows	F8B8EEC4E2EC6D3CD106DBEBB3A409F1	6F9E2D9926810B1D5F243A6A77247CFE3D6B9A96	DE0AF5785D768F96A601395F8A344C12158CF9B9E48034FC9F071D449AF23BFF
C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe	PE32+ executable (GUI) x86-64, for MS Windows	F325976CDC0F7E9C680B51B35D24D23A	8BA00280B451378802DD2A06BB139B8BEA78C90C	E24A61B15FD191DDC8A2CA82E22A759609E6099A832ADE0B5C0C6E0F1ABB05FE
C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3C121F3B05CFB5E241A04F3B9CEBC7DF	FCE2403A1C4CF2996AAABE36060DF7456CC67F14	75408D241F864808726F3FF83F98A86C3B3634E9B9B06AC00240CCBC4D7D803E
C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe	PE32+ executable (GUI) x86-64, for MS Windows	F7E36C20DB953DFF4FDDB817904C0E48	8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5	2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe	PE32+ executable (GUI) x86-64, for MS Windows	114A55D75AC7447F012B6D8EC8B1F7FC	37D5636D940D0A948000B94C84AD6C41162E593F	E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	07A6C3706C5EDE8D7B800595B85C75C0	2BF465E5939CFDE9316288A7B44A7C3109E8F142	576020032ACA724E35D51566BF3AE6DBA58B3900CE92424C0113822AFCE9BFE8
C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe	PE32+ executable (GUI) x86-64, for MS Windows	5FDB30927E9D4387D777443BF865EEFD	E802BE85298183F050141EAEB87930657A8E07A6	C57CE112AB04B00CC7270B6D76F005FFB8E2ED3ADC6904CF5C5F184EE077FA32
C:\Users\user\AppData\Local\zBhEpi\newdev.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2895B7156F5710663CE777AC1D00735C	AAA461022C45BD9388A62E3A52402B577114C681	669180A012AEBBFFBAB792145472789888DC63622C06596D98A132AD320F00B6
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	23FD7C8AE8B0C82950EA13BB2A91B052	D6146E6015C7BF14BC74B21E0A41EA24B6D1B2B9	64CA4235F7CD686054B5DEABA770F484D4AA50097E8F68C6DF5B88AF5206CD8A

Windows Analysis Report as0Jkr7Dca

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map