Windows Analysis Report 3PgaI7gtQn

Overview

General Information

Sample Name:	3PgaI7gtQn (renamed file extension from none to dll)
Analysis ID:	492089
MD5:	8a6f4fe59b41d74501e04f1b451dc57d
SHA1:	064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256:	d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3PgaI7gtQn.dll	Virustotal: Detection: 68%	Perma Link
Source: 3PgaI7gtQn.dll	Metadefender: Detection: 54%	Perma Link
Source: 3PgaI7gtQn.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: 3PgaI7gtQn.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\zshP\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for sample

Source: 3PgaI7gtQn.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\zshP\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Joe Sandbox ML: detected

Source: 3PgaI7gtQn.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,	35_2_00007FF647FB0414

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,

27_2_00007FF77B987818

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.822671536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.839774355.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B972EF4	27_2_00007FF77B972EF4
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B988850	27_2_00007FF77B988850
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B988E2C	27_2_00007FF77B988E2C
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B97139C	27_2_00007FF77B97139C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F74938	35_2_00007FF647F74938
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB7CE0	35_2_00007FF647FB7CE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB8DD8	35_2_00007FF647FB8DD8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F73ED4	35_2_00007FF647F73ED4
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBDEC8	35_2_00007FF647FBDEC8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9F70	35_2_00007FF647FB9F70
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F81FC0	35_2_00007FF647F81FC0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F94FE0	35_2_00007FF647F94FE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F88168	35_2_00007FF647F88168
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBB274	35_2_00007FF647FBB274
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F92324	35_2_00007FF647F92324
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB53A0	35_2_00007FF647FB53A0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC650D	35_2_00007FF647FC650D
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC0634	35_2_00007FF647FC0634
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F9B640	35_2_00007FF647F9B640
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB563C	35_2_00007FF647FB563C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB67F0	35_2_00007FF647FB67F0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC17EC	35_2_00007FF647FC17EC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC5875	35_2_00007FF647FC5875

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F72AC0 appears 86 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647FBEA7C appears 78 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F758F8 appears 101 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F726CC appears 146 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBBA40 NtQuerySystemInformation,	35_2_00007FF647FBBA40
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0C64 RtlInitUnicodeString,memset,NtOpenSymbolicLinkObject,memset,NtQuerySymbolicLinkObject,_wcsnicmp,NtClose,NtClose,_CxxThrowException,	35_2_00007FF647FB0C64
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB8DD8 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,	35_2_00007FF647FB8DD8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9DF8 NtReadFile,	35_2_00007FF647FB9DF8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9E3C memset,CreateFileW,NtClose,	35_2_00007FF647FB9E3C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9F70 GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FB9F70
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB50C8 NtClose,	35_2_00007FF647FB50C8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB90D8 RtlInitUnicodeString,NtOpenFile,NtCreateEvent,NtDeviceIoControlFile,NtWaitForSingleObject,NtClose,NtClose,	35_2_00007FF647FB90D8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F990E8 memset,NtQuerySystemInformation,_CxxThrowException,	35_2_00007FF647F990E8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F993BC CreateFileW,NtQueryVolumeInformationFile,CloseHandle,_CxxThrowException,_CxxThrowException,	35_2_00007FF647F993BC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB94F0 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,	35_2_00007FF647FB94F0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC17EC GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlDeleteBoundaryDescriptor,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FC17EC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB97EC GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,	35_2_00007FF647FB97EC

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647FC1CDC: GetFileAttributesW,SetFileAttributesW,CreateFileW,DeviceIoControl,GetLastError,CloseHandle,GetLastError,GetProcessHeap,HeapFree,SetLastError,SetLastError,

35_2_00007FF647FC1CDC

PE file contains strange resources

Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: DUI70.dll0.4.dr	Static PE information: Number of sections : 39 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: NETPLWIZ.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: 3PgaI7gtQn.dll	Static PE information: Number of sections : 38 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: WINBRAND.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: dpx.dll.4.dr	Static PE information: Number of sections : 38 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: MFC42u.dll.4.dr	Static PE information: Number of sections : 39 > 10

Source: 3PgaI7gtQn.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINBRAND.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NETPLWIZ.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3PgaI7gtQn.dll	Virustotal: Detection: 68%
Source: 3PgaI7gtQn.dll	Metadefender: Detection: 54%
Source: 3PgaI7gtQn.dll	ReversingLabs: Detection: 75%

Source: 3PgaI7gtQn.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBEBE0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FBEBE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB3CDC GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,	35_2_00007FF647FB3CDC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F79EB8 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,	35_2_00007FF647F79EB8

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@69/17@0/1

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B988420 CoCreateInstance,ShellExecuteW,?NeedsDiscoveryVolumeUpdate@BuiVolume@@QEAAJPEAH@Z,?LaunchUpdate@BuiVolume@@QEAAJXZ,

27_2_00007FF77B988420

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B9724D8 FormatMessageW,GetLastError,

27_2_00007FF77B9724D8

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{01c2b0c1-24c0-5263-91b2-55fa644b5b53}
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Mutant created: \Sessions\1\BaseNamedObjects\{65fc1c27-4504-7567-4300-8c5ca8b0c4c0}

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F73AF4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,

35_2_00007FF647F73AF4

Source: pwcreator.exe

String found in binary or memory: //IMAGE[@INDEX='%u']/WINDOWS/INSTALLATIONTYPE

Source: 3PgaI7gtQn.dll

Static PE information: More than 224 > 100 exports found

Source: 3PgaI7gtQn.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: 3PgaI7gtQn.dll

Static file information: File size 2121728 > 1048576

Source: 3PgaI7gtQn.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 3PgaI7gtQn.dll	Static PE information: section name: .qkm
Source: 3PgaI7gtQn.dll	Static PE information: section name: .cvjb
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tlmkv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .wucsxe
Source: 3PgaI7gtQn.dll	Static PE information: section name: .fltwtj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .sfplio
Source: 3PgaI7gtQn.dll	Static PE information: section name: .rpg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .bewzc
Source: 3PgaI7gtQn.dll	Static PE information: section name: .vksvaw
Source: 3PgaI7gtQn.dll	Static PE information: section name: .wmhg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .kswemc
Source: 3PgaI7gtQn.dll	Static PE information: section name: .kaxfk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .pjf
Source: 3PgaI7gtQn.dll	Static PE information: section name: .favk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .vhtukj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .hmbyox
Source: 3PgaI7gtQn.dll	Static PE information: section name: .djv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .hpern
Source: 3PgaI7gtQn.dll	Static PE information: section name: .czzwqg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .jxjvn
Source: 3PgaI7gtQn.dll	Static PE information: section name: .jfsnsk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .nzvifv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tops
Source: 3PgaI7gtQn.dll	Static PE information: section name: .lrjye
Source: 3PgaI7gtQn.dll	Static PE information: section name: .qwdob
Source: 3PgaI7gtQn.dll	Static PE information: section name: .xcq
Source: 3PgaI7gtQn.dll	Static PE information: section name: .ifxvj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .fgpyt
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tgzhe
Source: 3PgaI7gtQn.dll	Static PE information: section name: .oocus
Source: 3PgaI7gtQn.dll	Static PE information: section name: .ybtor
Source: 3PgaI7gtQn.dll	Static PE information: section name: .gxixek
Source: bdeunlock.exe.4.dr	Static PE information: section name: .imrsiv
Source: CameraSettingsUIHost.exe.4.dr	Static PE information: section name: .imrsiv
Source: mmc.exe.4.dr	Static PE information: section name: .didat
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll.4.dr	Static PE information: section name: .favk
Source: DUI70.dll.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll.4.dr	Static PE information: section name: .djv
Source: DUI70.dll.4.dr	Static PE information: section name: .hpern
Source: DUI70.dll.4.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll.4.dr	Static PE information: section name: .jxjvn
Source: DUI70.dll.4.dr	Static PE information: section name: .jfsnsk
Source: DUI70.dll.4.dr	Static PE information: section name: .nzvifv
Source: DUI70.dll.4.dr	Static PE information: section name: .tops
Source: DUI70.dll.4.dr	Static PE information: section name: .lrjye
Source: DUI70.dll.4.dr	Static PE information: section name: .qwdob
Source: DUI70.dll.4.dr	Static PE information: section name: .xcq
Source: DUI70.dll.4.dr	Static PE information: section name: .ifxvj
Source: DUI70.dll.4.dr	Static PE information: section name: .fgpyt
Source: DUI70.dll.4.dr	Static PE information: section name: .tgzhe
Source: DUI70.dll.4.dr	Static PE information: section name: .oocus
Source: DUI70.dll.4.dr	Static PE information: section name: .ybtor
Source: DUI70.dll.4.dr	Static PE information: section name: .gxixek
Source: DUI70.dll.4.dr	Static PE information: section name: .bcdsk
Source: DUI70.dll0.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll0.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll0.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll0.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll0.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll0.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll0.4.dr	Static PE information: section name: .favk
Source: DUI70.dll0.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll0.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll0.4.dr	Static PE information: section name: .djv
Source: DUI70.dll0.4.dr	Static PE information: section name: .hpern
Source: DUI70.dll0.4.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll0.4.dr	Static PE information: section name: .jxjvn
Source: DUI70.dll0.4.dr	Static PE information: section name: .jfsnsk
Source: DUI70.dll0.4.dr	Static PE information: section name: .nzvifv
Source: DUI70.dll0.4.dr	Static PE information: section name: .tops
Source: DUI70.dll0.4.dr	Static PE information: section name: .lrjye
Source: DUI70.dll0.4.dr	Static PE information: section name: .qwdob
Source: DUI70.dll0.4.dr	Static PE information: section name: .xcq
Source: DUI70.dll0.4.dr	Static PE information: section name: .ifxvj
Source: DUI70.dll0.4.dr	Static PE information: section name: .fgpyt
Source: DUI70.dll0.4.dr	Static PE information: section name: .tgzhe
Source: DUI70.dll0.4.dr	Static PE information: section name: .oocus
Source: DUI70.dll0.4.dr	Static PE information: section name: .ybtor
Source: DUI70.dll0.4.dr	Static PE information: section name: .gxixek
Source: DUI70.dll0.4.dr	Static PE information: section name: .rupume
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qkm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cvjb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .sfplio
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rpg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bewzc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wmhg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kswemc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pjf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .favk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vhtukj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .hmbyox
Source: WINBRAND.dll.4.dr	Static PE information: section name: .djv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .hpern
Source: WINBRAND.dll.4.dr	Static PE information: section name: .czzwqg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jxjvn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jfsnsk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzvifv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tops
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lrjye
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qwdob
Source: WINBRAND.dll.4.dr	Static PE information: section name: .xcq
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ifxvj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fgpyt
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tgzhe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .oocus
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ybtor
Source: WINBRAND.dll.4.dr	Static PE information: section name: .gxixek
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bbmsy
Source: dpx.dll.4.dr	Static PE information: section name: .qkm
Source: dpx.dll.4.dr	Static PE information: section name: .cvjb
Source: dpx.dll.4.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.4.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.4.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.4.dr	Static PE information: section name: .sfplio
Source: dpx.dll.4.dr	Static PE information: section name: .rpg
Source: dpx.dll.4.dr	Static PE information: section name: .bewzc
Source: dpx.dll.4.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.4.dr	Static PE information: section name: .wmhg
Source: dpx.dll.4.dr	Static PE information: section name: .kswemc
Source: dpx.dll.4.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.4.dr	Static PE information: section name: .pjf
Source: dpx.dll.4.dr	Static PE information: section name: .favk
Source: dpx.dll.4.dr	Static PE information: section name: .vhtukj
Source: dpx.dll.4.dr	Static PE information: section name: .hmbyox
Source: dpx.dll.4.dr	Static PE information: section name: .djv
Source: dpx.dll.4.dr	Static PE information: section name: .hpern
Source: dpx.dll.4.dr	Static PE information: section name: .czzwqg
Source: dpx.dll.4.dr	Static PE information: section name: .jxjvn
Source: dpx.dll.4.dr	Static PE information: section name: .jfsnsk
Source: dpx.dll.4.dr	Static PE information: section name: .nzvifv
Source: dpx.dll.4.dr	Static PE information: section name: .tops
Source: dpx.dll.4.dr	Static PE information: section name: .lrjye
Source: dpx.dll.4.dr	Static PE information: section name: .qwdob
Source: dpx.dll.4.dr	Static PE information: section name: .xcq
Source: dpx.dll.4.dr	Static PE information: section name: .ifxvj
Source: dpx.dll.4.dr	Static PE information: section name: .fgpyt
Source: dpx.dll.4.dr	Static PE information: section name: .tgzhe
Source: dpx.dll.4.dr	Static PE information: section name: .oocus
Source: dpx.dll.4.dr	Static PE information: section name: .ybtor
Source: dpx.dll.4.dr	Static PE information: section name: .gxixek
Source: MFC42u.dll.4.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.4.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.4.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.4.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.4.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.4.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.4.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.4.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.4.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.4.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.4.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.4.dr	Static PE information: section name: .favk
Source: MFC42u.dll.4.dr	Static PE information: section name: .vhtukj
Source: MFC42u.dll.4.dr	Static PE information: section name: .hmbyox
Source: MFC42u.dll.4.dr	Static PE information: section name: .djv
Source: MFC42u.dll.4.dr	Static PE information: section name: .hpern
Source: MFC42u.dll.4.dr	Static PE information: section name: .czzwqg
Source: MFC42u.dll.4.dr	Static PE information: section name: .jxjvn
Source: MFC42u.dll.4.dr	Static PE information: section name: .jfsnsk
Source: MFC42u.dll.4.dr	Static PE information: section name: .nzvifv
Source: MFC42u.dll.4.dr	Static PE information: section name: .tops
Source: MFC42u.dll.4.dr	Static PE information: section name: .lrjye
Source: MFC42u.dll.4.dr	Static PE information: section name: .qwdob
Source: MFC42u.dll.4.dr	Static PE information: section name: .xcq
Source: MFC42u.dll.4.dr	Static PE information: section name: .ifxvj
Source: MFC42u.dll.4.dr	Static PE information: section name: .fgpyt
Source: MFC42u.dll.4.dr	Static PE information: section name: .tgzhe
Source: MFC42u.dll.4.dr	Static PE information: section name: .oocus
Source: MFC42u.dll.4.dr	Static PE information: section name: .ybtor
Source: MFC42u.dll.4.dr	Static PE information: section name: .gxixek
Source: MFC42u.dll.4.dr	Static PE information: section name: .zlxpb
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .favk
Source: VERSION.dll.4.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll.4.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll.4.dr	Static PE information: section name: .djv
Source: VERSION.dll.4.dr	Static PE information: section name: .hpern
Source: VERSION.dll.4.dr	Static PE information: section name: .czzwqg
Source: VERSION.dll.4.dr	Static PE information: section name: .jxjvn
Source: VERSION.dll.4.dr	Static PE information: section name: .jfsnsk
Source: VERSION.dll.4.dr	Static PE information: section name: .nzvifv
Source: VERSION.dll.4.dr	Static PE information: section name: .tops
Source: VERSION.dll.4.dr	Static PE information: section name: .lrjye
Source: VERSION.dll.4.dr	Static PE information: section name: .qwdob
Source: VERSION.dll.4.dr	Static PE information: section name: .xcq
Source: VERSION.dll.4.dr	Static PE information: section name: .ifxvj
Source: VERSION.dll.4.dr	Static PE information: section name: .fgpyt
Source: VERSION.dll.4.dr	Static PE information: section name: .tgzhe
Source: VERSION.dll.4.dr	Static PE information: section name: .oocus
Source: VERSION.dll.4.dr	Static PE information: section name: .ybtor
Source: VERSION.dll.4.dr	Static PE information: section name: .gxixek
Source: VERSION.dll.4.dr	Static PE information: section name: .yjlrz
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .qkm
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .cvjb
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tlmkv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .wucsxe
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .fltwtj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .sfplio
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .rpg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .bewzc
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .vksvaw
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .wmhg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .kswemc
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .kaxfk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .pjf
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .favk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .vhtukj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .hmbyox
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .djv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .hpern
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .czzwqg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .jxjvn
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .jfsnsk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .nzvifv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tops
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .lrjye
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .qwdob
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .xcq
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .ifxvj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .fgpyt
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tgzhe
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .oocus
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .ybtor
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .gxixek
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .uwdayb
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.4.dr	Static PE information: section name: .favk
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhtukj
Source: XmlLite.dll.4.dr	Static PE information: section name: .hmbyox
Source: XmlLite.dll.4.dr	Static PE information: section name: .djv
Source: XmlLite.dll.4.dr	Static PE information: section name: .hpern
Source: XmlLite.dll.4.dr	Static PE information: section name: .czzwqg
Source: XmlLite.dll.4.dr	Static PE information: section name: .jxjvn
Source: XmlLite.dll.4.dr	Static PE information: section name: .jfsnsk
Source: XmlLite.dll.4.dr	Static PE information: section name: .nzvifv
Source: XmlLite.dll.4.dr	Static PE information: section name: .tops
Source: XmlLite.dll.4.dr	Static PE information: section name: .lrjye
Source: XmlLite.dll.4.dr	Static PE information: section name: .qwdob
Source: XmlLite.dll.4.dr	Static PE information: section name: .xcq
Source: XmlLite.dll.4.dr	Static PE information: section name: .ifxvj
Source: XmlLite.dll.4.dr	Static PE information: section name: .fgpyt
Source: XmlLite.dll.4.dr	Static PE information: section name: .tgzhe
Source: XmlLite.dll.4.dr	Static PE information: section name: .oocus
Source: XmlLite.dll.4.dr	Static PE information: section name: .ybtor
Source: XmlLite.dll.4.dr	Static PE information: section name: .gxixek
Source: XmlLite.dll.4.dr	Static PE information: section name: .coe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,

35_2_00007FF647F77B00

PE file contains an invalid checksum

Source: DUI70.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2550c1
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25ac17
Source: NETPLWIZ.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x215425
Source: 3PgaI7gtQn.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x20c451
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x212a10
Source: WINBRAND.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2146f9
Source: dpx.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20bdd5
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x212299
Source: MFC42u.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2191ea

Binary contains a suspicious time stamp

Source: bdeunlock.exe.4.dr

Static PE information: 0xFC085887 [Sat Dec 29 21:03:03 2103 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\oobM\mmc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zshP\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\43ip\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zshP\sigverif.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B972EF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,GetLastError,memset,memset,FreeLibrary,memset,memcpy,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap

27_2_00007FF77B972EF4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 6324

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\mmc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\sigverif.exe	Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B972EF4 rdtsc

27_2_00007FF77B972EF4

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,	35_2_00007FF647FB0414

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,

27_2_00007FF77B987818

Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.710454065.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.695007821.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000004.00000000.687261263.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.693652783.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.681280708.000000000FCDC000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e-1

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,

35_2_00007FF647F77B00

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B993B04 GetProcessHeap,HeapAlloc,

27_2_00007FF77B993B04

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B972EF4 rdtsc

27_2_00007FF77B972EF4

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B994AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF77B994AD8
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B994E40 SetUnhandledExceptionFilter,	27_2_00007FF77B994E40
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Code function: 31_2_00007FF7FD013330 SetUnhandledExceptionFilter,	31_2_00007FF7FD013330
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Code function: 31_2_00007FF7FD0135B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF7FD0135B4
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC2B48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00007FF647FC2B48
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC2ED0 SetUnhandledExceptionFilter,	35_2_00007FF647FC2ED0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABD58EFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABD58E000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABB012A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1

Jump to behavior

Source: explorer.exe, 00000004.00000000.685491455.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.671643095.0000000005E50000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z,		27_2_00007FF77B993B98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,		35_2_00007FF647FC0634

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B994FD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

27_2_00007FF77B994FD0

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647FC013C memset,GetVersionExW,GetVersionExW,

35_2_00007FF647FC013C

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B97193C GetCurrentProcessId,AllowSetForegroundWindow,CoCreateInstance,CoCreateInstance,GetSystemMetrics,RegGetValueW,GetSystemMetrics,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,SetForegroundWindow,LocalFree,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,

27_2_00007FF77B97193C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3PgaI7gtQn.dll	Virustotal: Detection: 68%	Perma Link
Source: 3PgaI7gtQn.dll	Metadefender: Detection: 54%	Perma Link
Source: 3PgaI7gtQn.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: 3PgaI7gtQn.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\zshP\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for sample

Source: 3PgaI7gtQn.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\zshP\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\43ip\DUI70.dll	Joe Sandbox ML: detected

Source: 3PgaI7gtQn.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,	35_2_00007FF647FB0414

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,

27_2_00007FF77B987818

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.822671536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.839774355.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B972EF4	27_2_00007FF77B972EF4
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B988850	27_2_00007FF77B988850
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B988E2C	27_2_00007FF77B988E2C
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B97139C	27_2_00007FF77B97139C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F74938	35_2_00007FF647F74938
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB7CE0	35_2_00007FF647FB7CE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB8DD8	35_2_00007FF647FB8DD8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F73ED4	35_2_00007FF647F73ED4
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBDEC8	35_2_00007FF647FBDEC8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9F70	35_2_00007FF647FB9F70
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F81FC0	35_2_00007FF647F81FC0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F94FE0	35_2_00007FF647F94FE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F88168	35_2_00007FF647F88168
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBB274	35_2_00007FF647FBB274
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F92324	35_2_00007FF647F92324
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB53A0	35_2_00007FF647FB53A0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC650D	35_2_00007FF647FC650D
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC0634	35_2_00007FF647FC0634
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F9B640	35_2_00007FF647F9B640
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB563C	35_2_00007FF647FB563C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB67F0	35_2_00007FF647FB67F0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC17EC	35_2_00007FF647FC17EC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC5875	35_2_00007FF647FC5875

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F72AC0 appears 86 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647FBEA7C appears 78 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F758F8 appears 101 times
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: String function: 00007FF647F726CC appears 146 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBBA40 NtQuerySystemInformation,	35_2_00007FF647FBBA40
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0C64 RtlInitUnicodeString,memset,NtOpenSymbolicLinkObject,memset,NtQuerySymbolicLinkObject,_wcsnicmp,NtClose,NtClose,_CxxThrowException,	35_2_00007FF647FB0C64
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB8DD8 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,	35_2_00007FF647FB8DD8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9DF8 NtReadFile,	35_2_00007FF647FB9DF8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9E3C memset,CreateFileW,NtClose,	35_2_00007FF647FB9E3C
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB9F70 GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FB9F70
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB50C8 NtClose,	35_2_00007FF647FB50C8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB90D8 RtlInitUnicodeString,NtOpenFile,NtCreateEvent,NtDeviceIoControlFile,NtWaitForSingleObject,NtClose,NtClose,	35_2_00007FF647FB90D8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F990E8 memset,NtQuerySystemInformation,_CxxThrowException,	35_2_00007FF647F990E8
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F993BC CreateFileW,NtQueryVolumeInformationFile,CloseHandle,_CxxThrowException,_CxxThrowException,	35_2_00007FF647F993BC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB94F0 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,	35_2_00007FF647FB94F0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC17EC GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlDeleteBoundaryDescriptor,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FC17EC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB97EC GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,	35_2_00007FF647FB97EC

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647FC1CDC: GetFileAttributesW,SetFileAttributesW,CreateFileW,DeviceIoControl,GetLastError,CloseHandle,GetLastError,GetProcessHeap,HeapFree,SetLastError,SetLastError,

35_2_00007FF647FC1CDC

PE file contains strange resources

Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: DUI70.dll0.4.dr	Static PE information: Number of sections : 39 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: NETPLWIZ.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: 3PgaI7gtQn.dll	Static PE information: Number of sections : 38 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: WINBRAND.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: dpx.dll.4.dr	Static PE information: Number of sections : 38 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 39 > 10
Source: MFC42u.dll.4.dr	Static PE information: Number of sections : 39 > 10

Source: 3PgaI7gtQn.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINBRAND.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NETPLWIZ.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3PgaI7gtQn.dll	Virustotal: Detection: 68%
Source: 3PgaI7gtQn.dll	Metadefender: Detection: 54%
Source: 3PgaI7gtQn.dll	ReversingLabs: Detection: 75%

Source: 3PgaI7gtQn.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBEBE0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,	35_2_00007FF647FBEBE0
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB3CDC GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,	35_2_00007FF647FB3CDC
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647F79EB8 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,	35_2_00007FF647F79EB8

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@69/17@0/1

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B988420 CoCreateInstance,ShellExecuteW,?NeedsDiscoveryVolumeUpdate@BuiVolume@@QEAAJPEAH@Z,?LaunchUpdate@BuiVolume@@QEAAJXZ,

27_2_00007FF77B988420

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B9724D8 FormatMessageW,GetLastError,

27_2_00007FF77B9724D8

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{01c2b0c1-24c0-5263-91b2-55fa644b5b53}
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Mutant created: \Sessions\1\BaseNamedObjects\{65fc1c27-4504-7567-4300-8c5ca8b0c4c0}

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F73AF4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,

35_2_00007FF647F73AF4

Source: pwcreator.exe

String found in binary or memory: //IMAGE[@INDEX='%u']/WINDOWS/INSTALLATIONTYPE

Source: 3PgaI7gtQn.dll

Static PE information: More than 224 > 100 exports found

Source: 3PgaI7gtQn.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: 3PgaI7gtQn.dll

Static file information: File size 2121728 > 1048576

Source: 3PgaI7gtQn.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
Source:	Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 3PgaI7gtQn.dll	Static PE information: section name: .qkm
Source: 3PgaI7gtQn.dll	Static PE information: section name: .cvjb
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tlmkv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .wucsxe
Source: 3PgaI7gtQn.dll	Static PE information: section name: .fltwtj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .sfplio
Source: 3PgaI7gtQn.dll	Static PE information: section name: .rpg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .bewzc
Source: 3PgaI7gtQn.dll	Static PE information: section name: .vksvaw
Source: 3PgaI7gtQn.dll	Static PE information: section name: .wmhg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .kswemc
Source: 3PgaI7gtQn.dll	Static PE information: section name: .kaxfk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .pjf
Source: 3PgaI7gtQn.dll	Static PE information: section name: .favk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .vhtukj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .hmbyox
Source: 3PgaI7gtQn.dll	Static PE information: section name: .djv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .hpern
Source: 3PgaI7gtQn.dll	Static PE information: section name: .czzwqg
Source: 3PgaI7gtQn.dll	Static PE information: section name: .jxjvn
Source: 3PgaI7gtQn.dll	Static PE information: section name: .jfsnsk
Source: 3PgaI7gtQn.dll	Static PE information: section name: .nzvifv
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tops
Source: 3PgaI7gtQn.dll	Static PE information: section name: .lrjye
Source: 3PgaI7gtQn.dll	Static PE information: section name: .qwdob
Source: 3PgaI7gtQn.dll	Static PE information: section name: .xcq
Source: 3PgaI7gtQn.dll	Static PE information: section name: .ifxvj
Source: 3PgaI7gtQn.dll	Static PE information: section name: .fgpyt
Source: 3PgaI7gtQn.dll	Static PE information: section name: .tgzhe
Source: 3PgaI7gtQn.dll	Static PE information: section name: .oocus
Source: 3PgaI7gtQn.dll	Static PE information: section name: .ybtor
Source: 3PgaI7gtQn.dll	Static PE information: section name: .gxixek
Source: bdeunlock.exe.4.dr	Static PE information: section name: .imrsiv
Source: CameraSettingsUIHost.exe.4.dr	Static PE information: section name: .imrsiv
Source: mmc.exe.4.dr	Static PE information: section name: .didat
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll.4.dr	Static PE information: section name: .favk
Source: DUI70.dll.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll.4.dr	Static PE information: section name: .djv
Source: DUI70.dll.4.dr	Static PE information: section name: .hpern
Source: DUI70.dll.4.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll.4.dr	Static PE information: section name: .jxjvn
Source: DUI70.dll.4.dr	Static PE information: section name: .jfsnsk
Source: DUI70.dll.4.dr	Static PE information: section name: .nzvifv
Source: DUI70.dll.4.dr	Static PE information: section name: .tops
Source: DUI70.dll.4.dr	Static PE information: section name: .lrjye
Source: DUI70.dll.4.dr	Static PE information: section name: .qwdob
Source: DUI70.dll.4.dr	Static PE information: section name: .xcq
Source: DUI70.dll.4.dr	Static PE information: section name: .ifxvj
Source: DUI70.dll.4.dr	Static PE information: section name: .fgpyt
Source: DUI70.dll.4.dr	Static PE information: section name: .tgzhe
Source: DUI70.dll.4.dr	Static PE information: section name: .oocus
Source: DUI70.dll.4.dr	Static PE information: section name: .ybtor
Source: DUI70.dll.4.dr	Static PE information: section name: .gxixek
Source: DUI70.dll.4.dr	Static PE information: section name: .bcdsk
Source: DUI70.dll0.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll0.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll0.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll0.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll0.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll0.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll0.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll0.4.dr	Static PE information: section name: .pjf
Source: DUI70.dll0.4.dr	Static PE information: section name: .favk
Source: DUI70.dll0.4.dr	Static PE information: section name: .vhtukj
Source: DUI70.dll0.4.dr	Static PE information: section name: .hmbyox
Source: DUI70.dll0.4.dr	Static PE information: section name: .djv
Source: DUI70.dll0.4.dr	Static PE information: section name: .hpern
Source: DUI70.dll0.4.dr	Static PE information: section name: .czzwqg
Source: DUI70.dll0.4.dr	Static PE information: section name: .jxjvn
Source: DUI70.dll0.4.dr	Static PE information: section name: .jfsnsk
Source: DUI70.dll0.4.dr	Static PE information: section name: .nzvifv
Source: DUI70.dll0.4.dr	Static PE information: section name: .tops
Source: DUI70.dll0.4.dr	Static PE information: section name: .lrjye
Source: DUI70.dll0.4.dr	Static PE information: section name: .qwdob
Source: DUI70.dll0.4.dr	Static PE information: section name: .xcq
Source: DUI70.dll0.4.dr	Static PE information: section name: .ifxvj
Source: DUI70.dll0.4.dr	Static PE information: section name: .fgpyt
Source: DUI70.dll0.4.dr	Static PE information: section name: .tgzhe
Source: DUI70.dll0.4.dr	Static PE information: section name: .oocus
Source: DUI70.dll0.4.dr	Static PE information: section name: .ybtor
Source: DUI70.dll0.4.dr	Static PE information: section name: .gxixek
Source: DUI70.dll0.4.dr	Static PE information: section name: .rupume
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qkm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cvjb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .sfplio
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rpg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bewzc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wmhg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kswemc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pjf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .favk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vhtukj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .hmbyox
Source: WINBRAND.dll.4.dr	Static PE information: section name: .djv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .hpern
Source: WINBRAND.dll.4.dr	Static PE information: section name: .czzwqg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jxjvn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jfsnsk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzvifv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tops
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lrjye
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qwdob
Source: WINBRAND.dll.4.dr	Static PE information: section name: .xcq
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ifxvj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fgpyt
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tgzhe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .oocus
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ybtor
Source: WINBRAND.dll.4.dr	Static PE information: section name: .gxixek
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bbmsy
Source: dpx.dll.4.dr	Static PE information: section name: .qkm
Source: dpx.dll.4.dr	Static PE information: section name: .cvjb
Source: dpx.dll.4.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.4.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.4.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.4.dr	Static PE information: section name: .sfplio
Source: dpx.dll.4.dr	Static PE information: section name: .rpg
Source: dpx.dll.4.dr	Static PE information: section name: .bewzc
Source: dpx.dll.4.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.4.dr	Static PE information: section name: .wmhg
Source: dpx.dll.4.dr	Static PE information: section name: .kswemc
Source: dpx.dll.4.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.4.dr	Static PE information: section name: .pjf
Source: dpx.dll.4.dr	Static PE information: section name: .favk
Source: dpx.dll.4.dr	Static PE information: section name: .vhtukj
Source: dpx.dll.4.dr	Static PE information: section name: .hmbyox
Source: dpx.dll.4.dr	Static PE information: section name: .djv
Source: dpx.dll.4.dr	Static PE information: section name: .hpern
Source: dpx.dll.4.dr	Static PE information: section name: .czzwqg
Source: dpx.dll.4.dr	Static PE information: section name: .jxjvn
Source: dpx.dll.4.dr	Static PE information: section name: .jfsnsk
Source: dpx.dll.4.dr	Static PE information: section name: .nzvifv
Source: dpx.dll.4.dr	Static PE information: section name: .tops
Source: dpx.dll.4.dr	Static PE information: section name: .lrjye
Source: dpx.dll.4.dr	Static PE information: section name: .qwdob
Source: dpx.dll.4.dr	Static PE information: section name: .xcq
Source: dpx.dll.4.dr	Static PE information: section name: .ifxvj
Source: dpx.dll.4.dr	Static PE information: section name: .fgpyt
Source: dpx.dll.4.dr	Static PE information: section name: .tgzhe
Source: dpx.dll.4.dr	Static PE information: section name: .oocus
Source: dpx.dll.4.dr	Static PE information: section name: .ybtor
Source: dpx.dll.4.dr	Static PE information: section name: .gxixek
Source: MFC42u.dll.4.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.4.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.4.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.4.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.4.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.4.dr	Static PE information: section name: .sfplio
Source: MFC42u.dll.4.dr	Static PE information: section name: .rpg
Source: MFC42u.dll.4.dr	Static PE information: section name: .bewzc
Source: MFC42u.dll.4.dr	Static PE information: section name: .vksvaw
Source: MFC42u.dll.4.dr	Static PE information: section name: .wmhg
Source: MFC42u.dll.4.dr	Static PE information: section name: .kswemc
Source: MFC42u.dll.4.dr	Static PE information: section name: .kaxfk
Source: MFC42u.dll.4.dr	Static PE information: section name: .pjf
Source: MFC42u.dll.4.dr	Static PE information: section name: .favk
Source: MFC42u.dll.4.dr	Static PE information: section name: .vhtukj
Source: MFC42u.dll.4.dr	Static PE information: section name: .hmbyox
Source: MFC42u.dll.4.dr	Static PE information: section name: .djv
Source: MFC42u.dll.4.dr	Static PE information: section name: .hpern
Source: MFC42u.dll.4.dr	Static PE information: section name: .czzwqg
Source: MFC42u.dll.4.dr	Static PE information: section name: .jxjvn
Source: MFC42u.dll.4.dr	Static PE information: section name: .jfsnsk
Source: MFC42u.dll.4.dr	Static PE information: section name: .nzvifv
Source: MFC42u.dll.4.dr	Static PE information: section name: .tops
Source: MFC42u.dll.4.dr	Static PE information: section name: .lrjye
Source: MFC42u.dll.4.dr	Static PE information: section name: .qwdob
Source: MFC42u.dll.4.dr	Static PE information: section name: .xcq
Source: MFC42u.dll.4.dr	Static PE information: section name: .ifxvj
Source: MFC42u.dll.4.dr	Static PE information: section name: .fgpyt
Source: MFC42u.dll.4.dr	Static PE information: section name: .tgzhe
Source: MFC42u.dll.4.dr	Static PE information: section name: .oocus
Source: MFC42u.dll.4.dr	Static PE information: section name: .ybtor
Source: MFC42u.dll.4.dr	Static PE information: section name: .gxixek
Source: MFC42u.dll.4.dr	Static PE information: section name: .zlxpb
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .favk
Source: VERSION.dll.4.dr	Static PE information: section name: .vhtukj
Source: VERSION.dll.4.dr	Static PE information: section name: .hmbyox
Source: VERSION.dll.4.dr	Static PE information: section name: .djv
Source: VERSION.dll.4.dr	Static PE information: section name: .hpern
Source: VERSION.dll.4.dr	Static PE information: section name: .czzwqg
Source: VERSION.dll.4.dr	Static PE information: section name: .jxjvn
Source: VERSION.dll.4.dr	Static PE information: section name: .jfsnsk
Source: VERSION.dll.4.dr	Static PE information: section name: .nzvifv
Source: VERSION.dll.4.dr	Static PE information: section name: .tops
Source: VERSION.dll.4.dr	Static PE information: section name: .lrjye
Source: VERSION.dll.4.dr	Static PE information: section name: .qwdob
Source: VERSION.dll.4.dr	Static PE information: section name: .xcq
Source: VERSION.dll.4.dr	Static PE information: section name: .ifxvj
Source: VERSION.dll.4.dr	Static PE information: section name: .fgpyt
Source: VERSION.dll.4.dr	Static PE information: section name: .tgzhe
Source: VERSION.dll.4.dr	Static PE information: section name: .oocus
Source: VERSION.dll.4.dr	Static PE information: section name: .ybtor
Source: VERSION.dll.4.dr	Static PE information: section name: .gxixek
Source: VERSION.dll.4.dr	Static PE information: section name: .yjlrz
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .qkm
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .cvjb
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tlmkv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .wucsxe
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .fltwtj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .sfplio
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .rpg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .bewzc
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .vksvaw
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .wmhg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .kswemc
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .kaxfk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .pjf
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .favk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .vhtukj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .hmbyox
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .djv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .hpern
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .czzwqg
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .jxjvn
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .jfsnsk
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .nzvifv
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tops
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .lrjye
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .qwdob
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .xcq
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .ifxvj
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .fgpyt
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .tgzhe
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .oocus
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .ybtor
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .gxixek
Source: NETPLWIZ.dll.4.dr	Static PE information: section name: .uwdayb
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .pjf
Source: XmlLite.dll.4.dr	Static PE information: section name: .favk
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhtukj
Source: XmlLite.dll.4.dr	Static PE information: section name: .hmbyox
Source: XmlLite.dll.4.dr	Static PE information: section name: .djv
Source: XmlLite.dll.4.dr	Static PE information: section name: .hpern
Source: XmlLite.dll.4.dr	Static PE information: section name: .czzwqg
Source: XmlLite.dll.4.dr	Static PE information: section name: .jxjvn
Source: XmlLite.dll.4.dr	Static PE information: section name: .jfsnsk
Source: XmlLite.dll.4.dr	Static PE information: section name: .nzvifv
Source: XmlLite.dll.4.dr	Static PE information: section name: .tops
Source: XmlLite.dll.4.dr	Static PE information: section name: .lrjye
Source: XmlLite.dll.4.dr	Static PE information: section name: .qwdob
Source: XmlLite.dll.4.dr	Static PE information: section name: .xcq
Source: XmlLite.dll.4.dr	Static PE information: section name: .ifxvj
Source: XmlLite.dll.4.dr	Static PE information: section name: .fgpyt
Source: XmlLite.dll.4.dr	Static PE information: section name: .tgzhe
Source: XmlLite.dll.4.dr	Static PE information: section name: .oocus
Source: XmlLite.dll.4.dr	Static PE information: section name: .ybtor
Source: XmlLite.dll.4.dr	Static PE information: section name: .gxixek
Source: XmlLite.dll.4.dr	Static PE information: section name: .coe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,

35_2_00007FF647F77B00

PE file contains an invalid checksum

Source: DUI70.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2550c1
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25ac17
Source: NETPLWIZ.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x215425
Source: 3PgaI7gtQn.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x20c451
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x212a10
Source: WINBRAND.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2146f9
Source: dpx.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20bdd5
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x212299
Source: MFC42u.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2191ea

Binary contains a suspicious time stamp

Source: bdeunlock.exe.4.dr

Static PE information: 0xFC085887 [Sat Dec 29 21:03:03 2103 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\oobM\mmc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zshP\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\43ip\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\zshP\sigverif.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

27_2_00007FF77B972EF4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 6324

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\mmc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\sigverif.exe	Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B972EF4 rdtsc

27_2_00007FF77B972EF4

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	35_2_00007FF647FBAD98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,	35_2_00007FF647FB0414

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,

27_2_00007FF77B987818

Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.710454065.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.695007821.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000004.00000000.687261263.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.693652783.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.681280708.000000000FCDC000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e-1

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,

35_2_00007FF647F77B00

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B993B04 GetProcessHeap,HeapAlloc,

27_2_00007FF77B993B04

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B972EF4 rdtsc

27_2_00007FF77B972EF4

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B994AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF77B994AD8
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: 27_2_00007FF77B994E40 SetUnhandledExceptionFilter,	27_2_00007FF77B994E40
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Code function: 31_2_00007FF7FD013330 SetUnhandledExceptionFilter,	31_2_00007FF7FD013330
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Code function: 31_2_00007FF7FD0135B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF7FD0135B4
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC2B48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00007FF647FC2B48
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: 35_2_00007FF647FC2ED0 SetUnhandledExceptionFilter,	35_2_00007FF647FC2ED0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABD58EFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABD58E000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: unknown base: 7FFABB012A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1

Jump to behavior

Source: explorer.exe, 00000004.00000000.685491455.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.671643095.0000000005E50000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z,		27_2_00007FF77B993B98
Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,		35_2_00007FF647FC0634

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

Code function: 27_2_00007FF77B994FD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

27_2_00007FF77B994FD0

Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe

Code function: 35_2_00007FF647FC013C memset,GetVersionExW,GetVersionExW,

35_2_00007FF647FC013C

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe

27_2_00007FF77B97193C

ID:	492089
Product:	CloudBasic
Start time:	10:50:55
Start date:	28.09.2021
Sample:	3PgaI7gtQn
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8a6f4fe59b41d74501e04f1b451dc57d
SHA1:	064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256:	d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe	PE32+ executable (GUI) x86-64, for MS Windows	34F32BC06CDC7AF56607D351B155140D	88EF25BC91BCC908AF743ECA254D6251E5564283	47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
C:\Users\user\AppData\Local\43ip\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4121EE4C9F38EE65D7E1D3F39CE327A4	D85D7FBF8CDD63C2D7D2024C22EA63423D9292BB	2E195E740BA535D55EFA59E4342EA5D76F2DAD519494BD8F6AA7BB715AA308B0
C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	7C2DFAC0CE010C8A44E593D1103BDA97	406EE28D9C04ED4F287A4792BD201668CF8CBC1D	4FDB143C3627C8EA9C51899CA42246922F08A4873E8B2ED2BA11BD5AAE8221C8
C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe	PE32+ executable (GUI) x86-64, for MS Windows	A513A767CC9CC3E694D8C9D53B90B73E	F10B719117D26DAFCC9DBE54E9F9D78A0F80EE2A	C9F7AC4322504D7EC8305973951A66FBE34E55E34A59409B5B574D627A474369
C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0FA8A4183C28C71FE734D6065497ADDE	D22C41D6DF53577BD9013BB5AD02074576800F6C	43DE8467A04ED6F74B09C66F09EE6FEF2BE1A5120C9B20C792B1CA98B117E400
C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe	PE32+ executable (GUI) x86-64, for MS Windows	BF33FA218E0B4F6AEC77616BE0F5DD9D	F3F0A424406B743410F6E5C72209979AC9537FAE	E7760E07BE5CF608CC10FDDF0AB21E765F36962372BF9DA4360DCB196E08425D
C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2BF02D76D58256D262FCEE3D70F9BA42	095C42C35275909EBC554B07B7B30DDF75843A27	A7FDE865CA3F382F9B288ECD01366EB88F5C53C3B8B03266DABDAB89C4E9690B
C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe	PE32+ executable (GUI) x86-64, for MS Windows	3CE911D7C12A2EFA9108514013BD17FE	2F739BD7731932A0BF13A3B8526FC867EC41C63E	FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	5B66C49965E3F6B0E1B462A795619EB4	8639F82F4D16E35FEDC7A5778F7F43A252CFB6EE	2FADF48DCCD8B10EADDA1405AA2D7E764E0563D22C589729D30FA419DEC50112
C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe	PE32+ executable (GUI) x86-64, for MS Windows	FAB70105E2075EEC9C249A4D499CAE7C	B5B4216725F55A4E6AF9FB0BB7E0167CEED6081F	7EA89BE1BBA6A7C2B08D70FA8E4CF036CB086ED162BCD22255E2BC0F926B22B2
C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	11691B104F078DBB489FADF628AE5C83	5A85648864868255683546E5465E14D0E29427AF	3619646B47E58F21DE52463FE7F6ECBA59173E10C6AED207D7B7D9425D3287C7
C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe	PE32+ executable (GUI) x86-64, for MS Windows	8E2C63E761A22724382338F349C55014	30C7F92A6E88C368B091E39665545EAFA8A6561F	4CA6E16BEB57278E60E3EDCBCECDA1442AA344C424421E4B078F1213E6B99376
C:\Users\user\AppData\Local\oobM\MFC42u.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	DB0FB2C1640C7E176AD5B8C83BE68823	86452C8617E4F9FAC9AB219DE1E45F3F8285541C	5782DEB31D2ED74626BFE53E3D100DF785A536EB164898D4EFF01A017A96DBFD
C:\Users\user\AppData\Local\oobM\mmc.exe	PE32+ executable (GUI) x86-64, for MS Windows	BA80301974CC8C4FB9F3F9DDB5905C30	382008FBA9480F6568DB3E1F335D080192DE62CA	683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037
C:\Users\user\AppData\Local\zshP\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2393DBDB7B83B4F04D36585D7BD53D12	6763ADDEF91982DBC7A1C8FD23653BB470BBA183	82E108220C59CA7F0733EBC7BE4B484A040DBF2AE89061599CA60C1951D4206B
C:\Users\user\AppData\Local\zshP\sigverif.exe	PE32+ executable (GUI) x86-64, for MS Windows	8BADFA1EAEC018D2EDFE5630577F0B0F	43091FDC6B068E36FE0AE374A0C096C8912ACD5B	DA824555DB880996AEF4DF4C68B499139040A4EA68D533E676059A12C8563BEB
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	265559C6982B3A4CF08B093CA2B36B05	38AB5D305B69D0CB9EE68066CD9BF77529AB3DDF	CAD2600DEE248B2D18B8CDAA66194C1580B21F01FDDBFCD51D0C3912059EFB99

Windows Analysis Report 3PgaI7gtQn

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private