Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3PgaI7gtQn

Overview

General Information

Sample Name:3PgaI7gtQn (renamed file extension from none to dll)
Analysis ID:492089
MD5:8a6f4fe59b41d74501e04f1b451dc57d
SHA1:064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256:d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6272 cmdline: loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 2600 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 1444 cmdline: rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 900 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • bdeunlock.exe (PID: 3976 cmdline: C:\Windows\system32\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • bdeunlock.exe (PID: 2912 cmdline: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • CameraSettingsUIHost.exe (PID: 6660 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • pwcreator.exe (PID: 1848 cmdline: C:\Windows\system32\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)
        • pwcreator.exe (PID: 4984 cmdline: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)
        • lpksetup.exe (PID: 5944 cmdline: C:\Windows\system32\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
        • lpksetup.exe (PID: 4732 cmdline: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
    • rundll32.exe (PID: 2824 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1572 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2872 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6116 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7164 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5568 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4100 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3416 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6704 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6700 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4200 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2464 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6832 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1492 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7040 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2124 cmdline: rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 21 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3PgaI7gtQn.dllVirustotal: Detection: 68%Perma Link
            Source: 3PgaI7gtQn.dllMetadefender: Detection: 54%Perma Link
            Source: 3PgaI7gtQn.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 3PgaI7gtQn.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\oobM\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\zshP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Machine Learning detection for sampleShow sources
            Source: 3PgaI7gtQn.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\oobM\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\zshP\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\43ip\DUI70.dllJoe Sandbox ML: detected
            Source: 3PgaI7gtQn.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.812744317.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.822671536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.839774355.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B988850
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B988E2C
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B97139C
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F74938
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB7CE0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB8DD8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F73ED4
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBDEC8
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9F70
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F81FC0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F94FE0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F88168
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBB274
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F92324
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB53A0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC650D
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC0634
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F9B640
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB563C
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB67F0
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC17EC
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC5875
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F72AC0 appears 86 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647FBEA7C appears 78 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F758F8 appears 101 times
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: String function: 00007FF647F726CC appears 146 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBBA40 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0C64 RtlInitUnicodeString,memset,NtOpenSymbolicLinkObject,memset,NtQuerySymbolicLinkObject,_wcsnicmp,NtClose,NtClose,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB8DD8 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9DF8 NtReadFile,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9E3C memset,CreateFileW,NtClose,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB9F70 GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB50C8 NtClose,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB90D8 RtlInitUnicodeString,NtOpenFile,NtCreateEvent,NtDeviceIoControlFile,NtWaitForSingleObject,NtClose,NtClose,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F990E8 memset,NtQuerySystemInformation,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F993BC CreateFileW,NtQueryVolumeInformationFile,CloseHandle,_CxxThrowException,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB94F0 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC17EC GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlDeleteBoundaryDescriptor,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB97EC GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC1CDC: GetFileAttributesW,SetFileAttributesW,CreateFileW,DeviceIoControl,GetLastError,CloseHandle,GetLastError,GetProcessHeap,HeapFree,SetLastError,SetLastError,
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: pwcreator.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: pwcreator.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mmc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Netplwiz.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DUI70.dll0.4.drStatic PE information: Number of sections : 39 > 10
            Source: DUI70.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: NETPLWIZ.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: 3PgaI7gtQn.dllStatic PE information: Number of sections : 38 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: WINBRAND.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: dpx.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: VERSION.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: MFC42u.dll.4.drStatic PE information: Number of sections : 39 > 10
            Source: 3PgaI7gtQn.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINBRAND.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dpx.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: NETPLWIZ.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 3PgaI7gtQn.dllVirustotal: Detection: 68%
            Source: 3PgaI7gtQn.dllMetadefender: Detection: 54%
            Source: 3PgaI7gtQn.dllReversingLabs: Detection: 75%
            Source: 3PgaI7gtQn.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateBitmapImageSize
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFCalculateImageSize
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBEBE0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB3CDC GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F79EB8 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,_CxxThrowException,_CxxThrowException,_CxxThrowException,
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@69/17@0/1
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B988420 CoCreateInstance,ShellExecuteW,?NeedsDiscoveryVolumeUpdate@BuiVolume@@QEAAJPEAH@Z,?LaunchUpdate@BuiVolume@@QEAAJXZ,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B9724D8 FormatMessageW,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{01c2b0c1-24c0-5263-91b2-55fa644b5b53}
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeMutant created: \Sessions\1\BaseNamedObjects\{65fc1c27-4504-7567-4300-8c5ca8b0c4c0}
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F73AF4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,
            Source: pwcreator.exeString found in binary or memory: //IMAGE[@INDEX='%u']/WINDOWS/INSTALLATIONTYPE
            Source: 3PgaI7gtQn.dllStatic PE information: More than 224 > 100 exports found
            Source: 3PgaI7gtQn.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 3PgaI7gtQn.dllStatic file information: File size 2121728 > 1048576
            Source: 3PgaI7gtQn.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdb source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: pwcreator.pdbGCTL source: pwcreator.exe, 00000023.00000000.806170526.00007FF647FCA000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.802434420.00007FF7FD015000.00000002.00020000.sdmp
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 0000001B.00000000.778824704.00007FF77B997000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .qkm
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .cvjb
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tlmkv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .wucsxe
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .fltwtj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .sfplio
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .rpg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .bewzc
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .vksvaw
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .wmhg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .kswemc
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .kaxfk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .pjf
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .favk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .vhtukj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .hmbyox
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .djv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .hpern
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .czzwqg
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .jxjvn
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .jfsnsk
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .nzvifv
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tops
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .lrjye
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .qwdob
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .xcq
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .ifxvj
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .fgpyt
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .tgzhe
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .oocus
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .ybtor
            Source: 3PgaI7gtQn.dllStatic PE information: section name: .gxixek
            Source: bdeunlock.exe.4.drStatic PE information: section name: .imrsiv
            Source: CameraSettingsUIHost.exe.4.drStatic PE information: section name: .imrsiv
            Source: mmc.exe.4.drStatic PE information: section name: .didat
            Source: DUI70.dll.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll.4.drStatic PE information: section name: .favk
            Source: DUI70.dll.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll.4.drStatic PE information: section name: .djv
            Source: DUI70.dll.4.drStatic PE information: section name: .hpern
            Source: DUI70.dll.4.drStatic PE information: section name: .czzwqg
            Source: DUI70.dll.4.drStatic PE information: section name: .jxjvn
            Source: DUI70.dll.4.drStatic PE information: section name: .jfsnsk
            Source: DUI70.dll.4.drStatic PE information: section name: .nzvifv
            Source: DUI70.dll.4.drStatic PE information: section name: .tops
            Source: DUI70.dll.4.drStatic PE information: section name: .lrjye
            Source: DUI70.dll.4.drStatic PE information: section name: .qwdob
            Source: DUI70.dll.4.drStatic PE information: section name: .xcq
            Source: DUI70.dll.4.drStatic PE information: section name: .ifxvj
            Source: DUI70.dll.4.drStatic PE information: section name: .fgpyt
            Source: DUI70.dll.4.drStatic PE information: section name: .tgzhe
            Source: DUI70.dll.4.drStatic PE information: section name: .oocus
            Source: DUI70.dll.4.drStatic PE information: section name: .ybtor
            Source: DUI70.dll.4.drStatic PE information: section name: .gxixek
            Source: DUI70.dll.4.drStatic PE information: section name: .bcdsk
            Source: DUI70.dll0.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll0.4.drStatic PE information: section name: .favk
            Source: DUI70.dll0.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll0.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll0.4.drStatic PE information: section name: .djv
            Source: DUI70.dll0.4.drStatic PE information: section name: .hpern
            Source: DUI70.dll0.4.drStatic PE information: section name: .czzwqg
            Source: DUI70.dll0.4.drStatic PE information: section name: .jxjvn
            Source: DUI70.dll0.4.drStatic PE information: section name: .jfsnsk
            Source: DUI70.dll0.4.drStatic PE information: section name: .nzvifv
            Source: DUI70.dll0.4.drStatic PE information: section name: .tops
            Source: DUI70.dll0.4.drStatic PE information: section name: .lrjye
            Source: DUI70.dll0.4.drStatic PE information: section name: .qwdob
            Source: DUI70.dll0.4.drStatic PE information: section name: .xcq
            Source: DUI70.dll0.4.drStatic PE information: section name: .ifxvj
            Source: DUI70.dll0.4.drStatic PE information: section name: .fgpyt
            Source: DUI70.dll0.4.drStatic PE information: section name: .tgzhe
            Source: DUI70.dll0.4.drStatic PE information: section name: .oocus
            Source: DUI70.dll0.4.drStatic PE information: section name: .ybtor
            Source: DUI70.dll0.4.drStatic PE information: section name: .gxixek
            Source: DUI70.dll0.4.drStatic PE information: section name: .rupume
            Source: WINBRAND.dll.4.drStatic PE information: section name: .qkm
            Source: WINBRAND.dll.4.drStatic PE information: section name: .cvjb
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tlmkv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .wucsxe
            Source: WINBRAND.dll.4.drStatic PE information: section name: .fltwtj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .sfplio
            Source: WINBRAND.dll.4.drStatic PE information: section name: .rpg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .bewzc
            Source: WINBRAND.dll.4.drStatic PE information: section name: .vksvaw
            Source: WINBRAND.dll.4.drStatic PE information: section name: .wmhg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .kswemc
            Source: WINBRAND.dll.4.drStatic PE information: section name: .kaxfk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .pjf
            Source: WINBRAND.dll.4.drStatic PE information: section name: .favk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .vhtukj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .hmbyox
            Source: WINBRAND.dll.4.drStatic PE information: section name: .djv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .hpern
            Source: WINBRAND.dll.4.drStatic PE information: section name: .czzwqg
            Source: WINBRAND.dll.4.drStatic PE information: section name: .jxjvn
            Source: WINBRAND.dll.4.drStatic PE information: section name: .jfsnsk
            Source: WINBRAND.dll.4.drStatic PE information: section name: .nzvifv
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tops
            Source: WINBRAND.dll.4.drStatic PE information: section name: .lrjye
            Source: WINBRAND.dll.4.drStatic PE information: section name: .qwdob
            Source: WINBRAND.dll.4.drStatic PE information: section name: .xcq
            Source: WINBRAND.dll.4.drStatic PE information: section name: .ifxvj
            Source: WINBRAND.dll.4.drStatic PE information: section name: .fgpyt
            Source: WINBRAND.dll.4.drStatic PE information: section name: .tgzhe
            Source: WINBRAND.dll.4.drStatic PE information: section name: .oocus
            Source: WINBRAND.dll.4.drStatic PE information: section name: .ybtor
            Source: WINBRAND.dll.4.drStatic PE information: section name: .gxixek
            Source: WINBRAND.dll.4.drStatic PE information: section name: .bbmsy
            Source: dpx.dll.4.drStatic PE information: section name: .qkm
            Source: dpx.dll.4.drStatic PE information: section name: .cvjb
            Source: dpx.dll.4.drStatic PE information: section name: .tlmkv
            Source: dpx.dll.4.drStatic PE information: section name: .wucsxe
            Source: dpx.dll.4.drStatic PE information: section name: .fltwtj
            Source: dpx.dll.4.drStatic PE information: section name: .sfplio
            Source: dpx.dll.4.drStatic PE information: section name: .rpg
            Source: dpx.dll.4.drStatic PE information: section name: .bewzc
            Source: dpx.dll.4.drStatic PE information: section name: .vksvaw
            Source: dpx.dll.4.drStatic PE information: section name: .wmhg
            Source: dpx.dll.4.drStatic PE information: section name: .kswemc
            Source: dpx.dll.4.drStatic PE information: section name: .kaxfk
            Source: dpx.dll.4.drStatic PE information: section name: .pjf
            Source: dpx.dll.4.drStatic PE information: section name: .favk
            Source: dpx.dll.4.drStatic PE information: section name: .vhtukj
            Source: dpx.dll.4.drStatic PE information: section name: .hmbyox
            Source: dpx.dll.4.drStatic PE information: section name: .djv
            Source: dpx.dll.4.drStatic PE information: section name: .hpern
            Source: dpx.dll.4.drStatic PE information: section name: .czzwqg
            Source: dpx.dll.4.drStatic PE information: section name: .jxjvn
            Source: dpx.dll.4.drStatic PE information: section name: .jfsnsk
            Source: dpx.dll.4.drStatic PE information: section name: .nzvifv
            Source: dpx.dll.4.drStatic PE information: section name: .tops
            Source: dpx.dll.4.drStatic PE information: section name: .lrjye
            Source: dpx.dll.4.drStatic PE information: section name: .qwdob
            Source: dpx.dll.4.drStatic PE information: section name: .xcq
            Source: dpx.dll.4.drStatic PE information: section name: .ifxvj
            Source: dpx.dll.4.drStatic PE information: section name: .fgpyt
            Source: dpx.dll.4.drStatic PE information: section name: .tgzhe
            Source: dpx.dll.4.drStatic PE information: section name: .oocus
            Source: dpx.dll.4.drStatic PE information: section name: .ybtor
            Source: dpx.dll.4.drStatic PE information: section name: .gxixek
            Source: MFC42u.dll.4.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.4.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.4.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.4.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.4.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.4.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.4.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.4.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.4.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.4.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.4.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .pjf
            Source: MFC42u.dll.4.drStatic PE information: section name: .favk
            Source: MFC42u.dll.4.drStatic PE information: section name: .vhtukj
            Source: MFC42u.dll.4.drStatic PE information: section name: .hmbyox
            Source: MFC42u.dll.4.drStatic PE information: section name: .djv
            Source: MFC42u.dll.4.drStatic PE information: section name: .hpern
            Source: MFC42u.dll.4.drStatic PE information: section name: .czzwqg
            Source: MFC42u.dll.4.drStatic PE information: section name: .jxjvn
            Source: MFC42u.dll.4.drStatic PE information: section name: .jfsnsk
            Source: MFC42u.dll.4.drStatic PE information: section name: .nzvifv
            Source: MFC42u.dll.4.drStatic PE information: section name: .tops
            Source: MFC42u.dll.4.drStatic PE information: section name: .lrjye
            Source: MFC42u.dll.4.drStatic PE information: section name: .qwdob
            Source: MFC42u.dll.4.drStatic PE information: section name: .xcq
            Source: MFC42u.dll.4.drStatic PE information: section name: .ifxvj
            Source: MFC42u.dll.4.drStatic PE information: section name: .fgpyt
            Source: MFC42u.dll.4.drStatic PE information: section name: .tgzhe
            Source: MFC42u.dll.4.drStatic PE information: section name: .oocus
            Source: MFC42u.dll.4.drStatic PE information: section name: .ybtor
            Source: MFC42u.dll.4.drStatic PE information: section name: .gxixek
            Source: MFC42u.dll.4.drStatic PE information: section name: .zlxpb
            Source: VERSION.dll.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.4.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.4.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.4.drStatic PE information: section name: .rpg
            Source: VERSION.dll.4.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.4.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.4.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.4.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.4.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .pjf
            Source: VERSION.dll.4.drStatic PE information: section name: .favk
            Source: VERSION.dll.4.drStatic PE information: section name: .vhtukj
            Source: VERSION.dll.4.drStatic PE information: section name: .hmbyox
            Source: VERSION.dll.4.drStatic PE information: section name: .djv
            Source: VERSION.dll.4.drStatic PE information: section name: .hpern
            Source: VERSION.dll.4.drStatic PE information: section name: .czzwqg
            Source: VERSION.dll.4.drStatic PE information: section name: .jxjvn
            Source: VERSION.dll.4.drStatic PE information: section name: .jfsnsk
            Source: VERSION.dll.4.drStatic PE information: section name: .nzvifv
            Source: VERSION.dll.4.drStatic PE information: section name: .tops
            Source: VERSION.dll.4.drStatic PE information: section name: .lrjye
            Source: VERSION.dll.4.drStatic PE information: section name: .qwdob
            Source: VERSION.dll.4.drStatic PE information: section name: .xcq
            Source: VERSION.dll.4.drStatic PE information: section name: .ifxvj
            Source: VERSION.dll.4.drStatic PE information: section name: .fgpyt
            Source: VERSION.dll.4.drStatic PE information: section name: .tgzhe
            Source: VERSION.dll.4.drStatic PE information: section name: .oocus
            Source: VERSION.dll.4.drStatic PE information: section name: .ybtor
            Source: VERSION.dll.4.drStatic PE information: section name: .gxixek
            Source: VERSION.dll.4.drStatic PE information: section name: .yjlrz
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .qkm
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .cvjb
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tlmkv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .wucsxe
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .fltwtj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .sfplio
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .rpg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .bewzc
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .vksvaw
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .wmhg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .kswemc
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .kaxfk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .pjf
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .favk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .vhtukj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .hmbyox
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .djv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .hpern
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .czzwqg
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .jxjvn
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .jfsnsk
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .nzvifv
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tops
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .lrjye
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .qwdob
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .xcq
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .ifxvj
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .fgpyt
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .tgzhe
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .oocus
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .ybtor
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .gxixek
            Source: NETPLWIZ.dll.4.drStatic PE information: section name: .uwdayb
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.4.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.4.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.4.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.4.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.4.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.4.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.4.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .pjf
            Source: XmlLite.dll.4.drStatic PE information: section name: .favk
            Source: XmlLite.dll.4.drStatic PE information: section name: .vhtukj
            Source: XmlLite.dll.4.drStatic PE information: section name: .hmbyox
            Source: XmlLite.dll.4.drStatic PE information: section name: .djv
            Source: XmlLite.dll.4.drStatic PE information: section name: .hpern
            Source: XmlLite.dll.4.drStatic PE information: section name: .czzwqg
            Source: XmlLite.dll.4.drStatic PE information: section name: .jxjvn
            Source: XmlLite.dll.4.drStatic PE information: section name: .jfsnsk
            Source: XmlLite.dll.4.drStatic PE information: section name: .nzvifv
            Source: XmlLite.dll.4.drStatic PE information: section name: .tops
            Source: XmlLite.dll.4.drStatic PE information: section name: .lrjye
            Source: XmlLite.dll.4.drStatic PE information: section name: .qwdob
            Source: XmlLite.dll.4.drStatic PE information: section name: .xcq
            Source: XmlLite.dll.4.drStatic PE information: section name: .ifxvj
            Source: XmlLite.dll.4.drStatic PE information: section name: .fgpyt
            Source: XmlLite.dll.4.drStatic PE information: section name: .tgzhe
            Source: XmlLite.dll.4.drStatic PE information: section name: .oocus
            Source: XmlLite.dll.4.drStatic PE information: section name: .ybtor
            Source: XmlLite.dll.4.drStatic PE information: section name: .gxixek
            Source: XmlLite.dll.4.drStatic PE information: section name: .coe
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,
            Source: DUI70.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2550c1
            Source: DUI70.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x25ac17
            Source: NETPLWIZ.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x215425
            Source: 3PgaI7gtQn.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x20c451
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x212a10
            Source: WINBRAND.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2146f9
            Source: dpx.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20bdd5
            Source: VERSION.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x212299
            Source: MFC42u.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2191ea
            Source: bdeunlock.exe.4.drStatic PE information: 0xFC085887 [Sat Dec 29 21:03:03 2103 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oobM\mmc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zshP\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\43ip\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oobM\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zshP\sigverif.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,GetLastError,memset,memset,FreeLibrary,memset,memcpy,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll64.exe TID: 6324Thread sleep time: -60000s >= -30000s
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\mmc.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\oobM\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\zshP\sigverif.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 rdtsc
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FBAD98 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FB0414 FindClose,wcscpy_s,lstrlenW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,wcsrchr,wcsrchr,FindClose,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B987818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,
            Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.710454065.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.693344641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.695007821.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAb
            Source: explorer.exe, 00000004.00000000.687261263.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000004.00000000.693652783.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 00000004.00000000.681280708.000000000FCDC000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e-1
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647F77B00 GetActiveWindow,LoadLibraryW,GetProcAddress,FreeLibrary,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B993B04 GetProcessHeap,HeapAlloc,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B972EF4 rdtsc
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994E40 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeCode function: 31_2_00007FF7FD013330 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeCode function: 31_2_00007FF7FD0135B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC2B48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC2ED0 SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABD58EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABD58E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFABB012A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Source: explorer.exe, 00000004.00000000.685491455.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000004.00000000.671643095.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000004.00000000.723120319.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000004.00000000.693556150.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B994FD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\NfgW4al\pwcreator.exeCode function: 35_2_00007FF647FC013C memset,GetVersionExW,GetVersionExW,
            Source: C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exeCode function: 27_2_00007FF77B97193C GetCurrentProcessId,AllowSetForegroundWindow,CoCreateInstance,CoCreateInstance,GetSystemMetrics,RegGetValueW,GetSystemMetrics,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,SetForegroundWindow,LocalFree,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Application Shimming1Access Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Application Shimming1Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery35VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492089 Sample: 3PgaI7gtQn Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 cmd.exe 1 8->15         started        17 16 other processes 8->17 signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 55 10->19 injected 24 rundll32.exe 15->24         started        process6 dnsIp7 42 192.168.2.1 unknown unknown 19->42 34 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\oobM\MFC42u.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\dpx.dll, PE32+ 19->38 dropped 40 13 other files (4 malicious) 19->40 dropped 52 Benign windows process drops PE files 19->52 26 bdeunlock.exe 19->26         started        28 bdeunlock.exe 19->28         started        30 CameraSettingsUIHost.exe 19->30         started        32 3 other processes 19->32 file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3PgaI7gtQn.dll69%VirustotalBrowse
            3PgaI7gtQn.dll54%MetadefenderBrowse
            3PgaI7gtQn.dll76%ReversingLabsWin64.Infostealer.Dridex
            3PgaI7gtQn.dll100%AviraHEUR/AGEN.1114452
            3PgaI7gtQn.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\oobM\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\zshP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\oobM\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\zshP\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe0%ReversingLabs
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe0%ReversingLabs
            C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe0%ReversingLabs
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            30.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            13.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            17.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            23.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            35.2.pwcreator.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            31.2.CameraSettingsUIHost.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            15.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.bdeunlock.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492089
            Start date:28.09.2021
            Start time:10:50:55
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 14m 56s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:3PgaI7gtQn (renamed file extension from none to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winDLL@69/17@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 15.8% (good quality ratio 13.4%)
            • Quality average: 77.9%
            • Quality standard deviation: 37.1%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 204.79.197.200, 13.107.21.200, 20.49.157.6
            • Excluded domains from analysis (whitelisted): www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\43ip\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2408448
            Entropy (8bit):4.088464785484027
            Encrypted:false
            SSDEEP:12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1ymulOt:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnbMK
            MD5:4121EE4C9F38EE65D7E1D3F39CE327A4
            SHA1:D85D7FBF8CDD63C2D7D2024C22EA63423D9292BB
            SHA-256:2E195E740BA535D55EFA59E4342EA5D76F2DAD519494BD8F6AA7BB715AA308B0
            SHA-512:A4F246AD5BCB81B9730C7B8814DD2F6B4E62CC839A177B4CDE98DADC09401C1E027AC696C06C01676C7F47F7FB9C03426938006F2C5CE0EC7B278C60A6A469CB
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................` .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\HxApBjE\NETPLWIZ.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5527133641756206
            Encrypted:false
            SSDEEP:12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:7C2DFAC0CE010C8A44E593D1103BDA97
            SHA1:406EE28D9C04ED4F287A4792BD201668CF8CBC1D
            SHA-256:4FDB143C3627C8EA9C51899CA42246922F08A4873E8B2ED2BA11BD5AAE8221C8
            SHA-512:6FE9C8618DE0338E993AC4744E7DB6B0F55C4B96271205E96A7A7CC720F9914EDFE7D019B98AB70EC3479FB83AE41BBAB818A238CD249E195BDCE4D338305DD4
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\HxApBjE\Netplwiz.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):39424
            Entropy (8bit):5.640119387300135
            Encrypted:false
            SSDEEP:768:Sm6uxIL0DPeyQvEsNN6hU2hGGalaQkQcryUJU3fUrh6WeENiJDBPrxZt4W:p6MMD6hlBBjrywUKeWSDBPrxZaW
            MD5:A513A767CC9CC3E694D8C9D53B90B73E
            SHA1:F10B719117D26DAFCC9DBE54E9F9D78A0F80EE2A
            SHA-256:C9F7AC4322504D7EC8305973951A66FBE34E55E34A59409B5B574D627A474369
            SHA-512:03BBBC076D3497E35952143085B9DCC83EDE855A00A190F05712FC91F0C0C4301995D0123EBDCA75A59B93C51358EAD5C4030F8EE9C33F9D1BF1A0EDBC52FD64
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.K.U.K.U.K.U.B..G.U.$.P.J.U.$.V.H.U.$.Q.Y.U.$.T.F.U.K.T...U.$.\.J.U.$...J.U.$.W.J.U.RichK.U.........................PE..d...v............."..........n......@6.........@..........................................`.......... .......................................L...........F...p..................4....F..T............................@...............A...............................text....-.......................... ..`.rdata..t....@.......2..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc....F.......H...P..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\NfgW4al\WINBRAND.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5537457737561593
            Encrypted:false
            SSDEEP:12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:0FA8A4183C28C71FE734D6065497ADDE
            SHA1:D22C41D6DF53577BD9013BB5AD02074576800F6C
            SHA-256:43DE8467A04ED6F74B09C66F09EE6FEF2BE1A5120C9B20C792B1CA98B117E400
            SHA-512:AAE25C32715162F02FA2FEB437F4DF35015C68C9003F906CBFED45BFCD744F6AC724247B126882FD82E30037C68407C58704ACCF226B9F50325563344848D8D1
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):800768
            Entropy (8bit):5.701025089752158
            Encrypted:false
            SSDEEP:24576:TD+9c2wgjOGTtUNbYYotGatTAcBg9okYyW:kc2wg6GTtUNsAaScBgWDy
            MD5:BF33FA218E0B4F6AEC77616BE0F5DD9D
            SHA1:F3F0A424406B743410F6E5C72209979AC9537FAE
            SHA-256:E7760E07BE5CF608CC10FDDF0AB21E765F36962372BF9DA4360DCB196E08425D
            SHA-512:8BF912B8785DE97757F862A0C327A6BC921A895C79C8D6D593BA79C5450D12382A511BF974A2C01A183CCFA0F612AC4A80D6F346058ED1FB694ED71A43B1122C
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...NI..NI..NI..MH..NI..JH..NI..KH..NI..OH..NI..OIa~NI..GH,.NI...I..NI..LH..NIRich..NI........PE..d....._.........."..................'.........@.....................................?....`.......... ......................................x6..|........a.......B...........p......P...T...........................P...............P...(............................text...Q........................... ..`.rdata..............................@..@.data....:...p.......T..............@....pdata...B.......D..................@..@.rsrc....a.......b..................@..@.reloc.......p.......(..............@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\aPIxGSGX\XmlLite.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5529782689844396
            Encrypted:false
            SSDEEP:12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:2BF02D76D58256D262FCEE3D70F9BA42
            SHA1:095C42C35275909EBC554B07B7B30DDF75843A27
            SHA-256:A7FDE865CA3F382F9B288ECD01366EB88F5C53C3B8B03266DABDAB89C4E9690B
            SHA-512:F5F8B185E62AF9104AB601877CFD3A2E4DF71BFF626A75ED00711108FFCBF81EE0C36E7575BCF0E4692BF0A124236F621E1F28037ACD3DF551D568DF99949623
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\aPIxGSGX\ddodiag.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):37888
            Entropy (8bit):5.0324146638870335
            Encrypted:false
            SSDEEP:768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
            MD5:3CE911D7C12A2EFA9108514013BD17FE
            SHA1:2F739BD7731932A0BF13A3B8526FC867EC41C63E
            SHA-256:FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
            SHA-512:33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\bnfeSWnf\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2408448
            Entropy (8bit):4.088173474060694
            Encrypted:false
            SSDEEP:12288:EVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ15sZz:hfP7fWsK5z9A+WGAW+V5SB6Ct4bnb5U
            MD5:5B66C49965E3F6B0E1B462A795619EB4
            SHA1:8639F82F4D16E35FEDC7A5778F7F43A252CFB6EE
            SHA-256:2FADF48DCCD8B10EADDA1405AA2D7E764E0563D22C589729D30FA419DEC50112
            SHA-512:0F3D0B89CED60B6725DA24FC5D973EB1EB0FF81ECEE2FCBCD15885BDD47D3011D53B4B390B018C4B81CE36654EDC6AE348DE8B404CE9187814733F179CA533EA
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................` .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):286232
            Entropy (8bit):6.926729215014979
            Encrypted:false
            SSDEEP:6144:jjJkzmZ4CSal+EH+pDQh01TXRYJWEmTKBKt1Vs7nyatGt+SYFmW2kb/:jtgmSdal+EH+5QhWEmTKB2H+S+7b/
            MD5:FAB70105E2075EEC9C249A4D499CAE7C
            SHA1:B5B4216725F55A4E6AF9FB0BB7E0167CEED6081F
            SHA-256:7EA89BE1BBA6A7C2B08D70FA8E4CF036CB086ED162BCD22255E2BC0F926B22B2
            SHA-512:96327DEC3BCEE7A9934AAF27F1942030D46CEE693AF2562EE4972D5306DD3AD14F404762B99E581C0F0F563610EA097372044890EB19CE1C7A8F535A78D9E19A
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..A~.~.~.~.~.~.w...v.~...}.}.~...z.l.~...{.x.~.....g.~.~.....~...w.i.~...~...~.......~...|...~.Rich~.~.........................PE..d....X............"......D..........pJ.........@....................................i................ ..................................P......T........x...........2...,......t.......T............................t...............u...............................text...PB.......D.................. ..`.imrsiv......`...........................rdata...c...p...d...H..............@..@.data...............................@....pdata..............................@..@.rsrc....x.......z..................@..@.reloc..t............0..............@..B........................................................................................................................................................................................................
            C:\Users\user\AppData\Local\fbMtwkN2S\dpx.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2121728
            Entropy (8bit):3.5580591254970417
            Encrypted:false
            SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:11691B104F078DBB489FADF628AE5C83
            SHA1:5A85648864868255683546E5465E14D0E29427AF
            SHA-256:3619646B47E58F21DE52463FE7F6ECBA59173E10C6AED207D7B7D9425D3287C7
            SHA-512:A3909BD47F0ED501EE9B60D60260C1313E885CC7791A3700306DC607F6C07D1AB6EB0423CDC32385D1EFB3819733D5A6D5C090B89C14CD44B721EEE8F3BDEBC8
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." .........@......p..........@.............................` .....@lx}..b.........................................,o.......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\fbMtwkN2S\lpksetup.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):732160
            Entropy (8bit):6.573630291630044
            Encrypted:false
            SSDEEP:12288:U4O7JpqBbsczjBmavlNRO5Gy1ay0OBegtkGyLY9d/Dz/sJ+lGDyYgWPL/kc7yfnQ:U40JpqtZzjBRvI5Gdy0OjtwLY9BDz/PW
            MD5:8E2C63E761A22724382338F349C55014
            SHA1:30C7F92A6E88C368B091E39665545EAFA8A6561F
            SHA-256:4CA6E16BEB57278E60E3EDCBCECDA1442AA344C424421E4B078F1213E6B99376
            SHA-512:92F289DDBD9D1E5103C36308DA84779708A292DC54F49A0A1B79D65C563378BBF08C98F3732F25365CCF8175589D8E6187CEE2A694AE5FB73CA9E85AECFF4CF1
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W..6...e...e...e..%e3..e|.d...e|.d...e|.d...e|.d...e...ec..e|.d6..e|.Ie...e|.d...eRich...e................PE..d.....e.........."......,...P.................@..........................................`.......... .........................................................H?...................g..T....................y..(....x...............y..P............................text....+.......,.................. ..`.rdata..\....@.......0..............@..@.data...`[...0......................@....pdata..H?.......@..................@..@.rsrc...............^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\oobM\MFC42u.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2150400
            Entropy (8bit):3.5942759550882832
            Encrypted:false
            SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1u:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:DB0FB2C1640C7E176AD5B8C83BE68823
            SHA1:86452C8617E4F9FAC9AB219DE1E45F3F8285541C
            SHA-256:5782DEB31D2ED74626BFE53E3D100DF785A536EB164898D4EFF01A017A96DBFD
            SHA-512:8E03D8A585C337A7D36446E274C64B3DB1E1E21A983FFD2BA5C1D374A4382A685C7CAB2F5EBA84A42DCB6D902CB96F2FD5D131862AE9029A5C354CD849708C27
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." ................p..........@.............................. .....@lx}..b..........................................` ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\oobM\mmc.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1859584
            Entropy (8bit):6.170036018738162
            Encrypted:false
            SSDEEP:24576:jkx6/5L0DOw7CYHrgS3TY8hVLujvKfukMo7wMo7DH:jx/VoCYLgS3JhNQval7e7DH
            MD5:BA80301974CC8C4FB9F3F9DDB5905C30
            SHA1:382008FBA9480F6568DB3E1F335D080192DE62CA
            SHA-256:683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037
            SHA-512:50B9F485F2C0291FF724E33133A1C5941ECA367C0EA03ACFB3560756848183B7301165E4A4D8E9B813142872A14CE95D97DAAFE355EBB9C7AEA5F6252A1045DA
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qd.T...T...T...]h..V...;t..W...;t..q...;t..Z...;t..C...T.......;t..?...;t..U...;t..U...RichT...........................PE..d...2............"......t.....................@..........................................@.........0=......................................xK.......0..@F...@..$................9......T....................X..(...@1...............}..p...D........................text...@r.......t.................. ..`.rdata...............x..............@..@.data................x..............@....pdata..$....@......................@..@.didat....... ......................@....rsrc...@F...0...H..................@..@.reloc...9.......:...&..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\zshP\VERSION.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2125824
            Entropy (8bit):3.5538487124192493
            Encrypted:false
            SSDEEP:12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:2393DBDB7B83B4F04D36585D7BD53D12
            SHA1:6763ADDEF91982DBC7A1C8FD23653BB470BBA183
            SHA-256:82E108220C59CA7F0733EBC7BE4B484A040DBF2AE89061599CA60C1951D4206B
            SHA-512:9A1EAB4660873C76A882ADA54F163825C71E3D4F96D3F682531B47E6F69F5FEDF32E3CE572FE39D02572CCC7515CD559B135CE9BEC5E6F3DBDBF825244FC36CB
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.'..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................` .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\zshP\sigverif.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):74752
            Entropy (8bit):6.227529985586147
            Encrypted:false
            SSDEEP:1536:yGD6cQz4Ig9F+JrM+FqrEGtxzAZT3WuEs:Uccg9kC+FqrEGkB7
            MD5:8BADFA1EAEC018D2EDFE5630577F0B0F
            SHA1:43091FDC6B068E36FE0AE374A0C096C8912ACD5B
            SHA-256:DA824555DB880996AEF4DF4C68B499139040A4EA68D533E676059A12C8563BEB
            SHA-512:080FED8F14CD192CDD4602504E82F8906B64EA9991D81C07B4BDF63BFABD2B257D7355E6546A83B223F817E231C5496362D73D2E6001B83D81F8CE704EE91659
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R_..R_..R_..W^..R_..Q^..R_..V^..R_..S^..R_..S_..R_..Z^..R_.._..R_..P^..R_Rich..R_........PE..d....{.T.........."......r..........`x.........@.............................p......&x....`.......... ......................................d...........`....................`.. .......T............................................................................text....p.......r.................. ..`.rdata...$.......&...v..............@..@.data...............................@....pdata..............................@..@.rsrc...`...........................@..@.reloc.. ....`......."..............@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:dropped
            Size (bytes):4442
            Entropy (8bit):5.475608894086636
            Encrypted:false
            SSDEEP:48:jZnGgUWSn/oB2Nagg5JtGgWHTMVZnGgUWs6cVfKJlD9Ow1K0sjOWLek:jZGg1iaBodTsZGg6XI7DEB
            MD5:265559C6982B3A4CF08B093CA2B36B05
            SHA1:38AB5D305B69D0CB9EE68066CD9BF77529AB3DDF
            SHA-256:CAD2600DEE248B2D18B8CDAA66194C1580B21F01FDDBFCD51D0C3912059EFB99
            SHA-512:E9845473C172D7C81326A242EC78D102A9FF2693E2848577907DD944CAB0AD62E0DF6C543EEE744C1802DEF402749557F493AE23622B664A94BC9CB704DCAC7D
            Malicious:false
            Reputation:unknown
            Preview: ........................................user.........................................user.....................RSA1.................].~."I..I..Ee..Y.M4..|.....Box.....bUB5..3...!....I.@.....i.E..|W..#v.J.. bJ0#..v.3.'.....!\OBL7....Wj....S....m.Y...e.j........................z..O.......K.cY..C....a.......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....iX....c...."..Jq....Xp..(p.ty............ .............Z....TT=..He....?......8..a.#X.s..g..._.....:uG.9.........[.R...._..D.!.....\.A.&...~.F..C......4...'....0.H4k..BLP..M...e~...._..?..4Q.*...2]..]L0=.sf.6..8..w....o.>..!...../.o.i...A{*.Q.GH.v...c.;.. ..h.w|)..I..k.Ka.B.............)LF.N.}I.4D..k$._..0.Q..ID.By..\...S.....Y-.i2.J%].h..q...2.i..w.."=KZ..B.1..9[H.QW......3Z.;C`......>.._%..c...[#D..gh...`...X")R<...~8..6K....%...........&.\.[.7$..q.I..[....cx..J..2.b....s....$.......m7...PB.......c..]7....rZ|.w#f4..z..U..}.U/p..`..].??.d..^Y....N..[r....yD....G...q..>..#t...i.........}M.`

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):3.5870494758907925
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:3PgaI7gtQn.dll
            File size:2121728
            MD5:8a6f4fe59b41d74501e04f1b451dc57d
            SHA1:064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
            SHA256:d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
            SHA512:4dfb736dc4e967f964d4a8eac22808fd7249fe39500752bf8b2cc9c197107bc6347ba7da07f20dda47b7d7bd14217792a81222e60f7d648918a93f222ab8084c
            SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x140041070
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:6668be91e2c948b183827f040944057f

            Entrypoint Preview

            Instruction
            dec eax
            xor eax, eax
            dec eax
            add eax, 5Ah
            dec eax
            mov dword ptr [00073D82h], ecx
            dec eax
            lea ecx, dword ptr [FFFFECABh]
            dec eax
            mov dword ptr [00073D7Ch], edx
            dec eax
            add eax, ecx
            dec esp
            mov dword ptr [00073D92h], ecx
            dec esp
            mov dword ptr [00073DA3h], ebp
            dec esp
            mov dword ptr [00073D7Ch], eax
            dec esp
            mov dword ptr [00073D85h], edi
            dec esp
            mov dword ptr [00073D86h], esi
            dec esp
            mov dword ptr [00073D8Fh], esp
            dec eax
            mov ecx, eax
            dec eax
            sub ecx, 5Ah
            dec eax
            mov dword ptr [00073D89h], esi
            dec eax
            test eax, eax
            je 00007F301C9053FFh
            dec eax
            mov dword ptr [00073D45h], esp
            dec eax
            mov dword ptr [00073D36h], ebp
            dec eax
            mov dword ptr [00073D7Fh], ebx
            dec eax
            mov dword ptr [00073D70h], edi
            dec eax
            test eax, eax
            je 00007F301C9053DEh
            jmp ecx
            dec eax
            add edi, ecx
            dec eax
            mov dword ptr [FFFFEC37h], ecx
            dec eax
            xor ecx, eax
            jmp ecx
            retn 0008h
            ud2
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ebx
            dec eax
            sub esp, 00000080h
            mov eax, F957B016h
            mov byte ptr [esp+7Fh], 00000037h
            mov edx, dword ptr [esp+78h]
            inc ecx
            mov eax, edx
            inc ecx
            or eax, 5D262B0Ch
            inc esp
            mov dword ptr [esp+78h], eax
            dec eax
            mov dword ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [LNK] VS2012 UPD4 build 61030
            • [ASM] VS2013 UPD2 build 30501
            • [ C ] VS2012 UPD2 build 60315
            • [C++] VS2013 UPD4 build 31101
            • [RES] VS2012 UPD3 build 60610
            • [LNK] VS2017 v15.5.4 build 25834
            • [ C ] VS2017 v15.5.4 build 25834
            • [ASM] VS2010 build 30319
            • [EXP] VS2015 UPD1 build 23506
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD2 build 60315
            • [C++] VS2015 UPD1 build 23506
            • [ C ] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x2040100x1f1a.gxixek
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x420000x64f2c0x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pjf0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .favk0x1600000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vhtukj0x1610000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hmbyox0x1a70000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .djv0x1a80000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hpern0x1a90000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .czzwqg0x1aa0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .jxjvn0x1ab0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .jfsnsk0x1ac0000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nzvifv0x1ad0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tops0x1ae0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .lrjye0x1b00000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qwdob0x1b10000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .xcq0x1b80000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ifxvj0x1b90000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fgpyt0x1ba0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tgzhe0x1bc0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .oocus0x1bd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ybtor0x2030000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .gxixek0x2040000x1f2a0x2000False0.413330078125data5.51434056843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xc00a00x370dataEnglishUnited States
            RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
            SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
            KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
            GDI32.dllCreateBitmapIndirect, GetPolyFillMode
            CRYPT32.dllCertGetCTLContextProperty
            ADVAPI32.dllAddAccessDeniedObjectAce
            SHLWAPI.dllChrCmpIW

            Exports

            NameOrdinalAddress
            CopyPropVariant100x140023308
            CreatePropVariant110x140002428
            CreatePropertyStore120x140007828
            DestroyPropVariant130x14001de24
            FormatTagFromWfx10x1400222b4
            GetAMSubtypeFromD3DFormat140x140022d18
            GetD3DFormatFromMFSubtype150x14003f734
            MFAddPeriodicCallback160x1400238e0
            MFAllocateSerialWorkQueue170x14002bcac
            MFAllocateWorkQueue180x1400204f8
            MFAllocateWorkQueueEx190x140038680
            MFAppendCollection200x14001a25c
            MFAverageTimePerFrameToFrameRate210x14001eae4
            MFBeginCreateFile220x14001af34
            MFBeginGetHostByName230x14001df68
            MFBeginRegisterWorkQueueWithMMCSS240x140004d98
            MFBeginRegisterWorkQueueWithMMCSSEx250x140010714
            MFBeginUnregisterWorkQueueWithMMCSS260x1400114b4
            MFCalculateBitmapImageSize270x140004674
            MFCalculateImageSize280x14001c86c
            MFCallStackTracingClearSnapshot290x1400305d0
            MFCallStackTracingLogSessionErrors300x140001ea0
            MFCallStackTracingRestoreSnapshot310x140035570
            MFCallStackTracingTakeSnapshot320x14003f0d8
            MFCancelCreateFile330x14000a6c4
            MFCancelWorkItem340x140012c90
            MFClearLocalMFTs350x140021744
            MFCompareFullToPartialMediaType360x14003ccdc
            MFCompareSockaddrAddresses370x140023bd4
            MFConvertColorInfoFromDXVA380x140035380
            MFConvertColorInfoToDXVA390x14003ff5c
            MFConvertFromFP16Array400x140005ca4
            MFConvertToFP16Array410x140041214
            MFCopyImage420x140011c4c
            MFCreate2DMediaBuffer430x1400026ec
            MFCreate2DMediaBufferOn1DMediaBuffer440x14002df9c
            MFCreateAMMediaTypeFromMFMediaType450x14002f304
            MFCreateAlignedMemoryBuffer460x14003269c
            MFCreateAlignedSharedMemoryBuffer470x140033668
            MFCreateAsyncResult480x140030c38
            MFCreateAttributes490x14000f0cc
            MFCreateAudioMediaType500x14002be34
            MFCreateByteStreamHandlerAppServiceActivate510x140018b64
            MFCreateCollection520x14002ea68
            MFCreateContentDecryptorContext530x140009840
            MFCreateContentProtectionDevice540x1400184b0
            MFCreateDXGIDeviceManager550x1400346bc
            MFCreateDXGISurfaceBuffer560x140033790
            MFCreateDXSurfaceBuffer570x14001bd50
            MFCreateEventQueue580x14000d868
            MFCreateFence590x140002b00
            MFCreateFile600x140035720
            MFCreateFileFromHandle610x140020c48
            MFCreateLegacyMediaBufferOnMFMediaBuffer620x140008368
            MFCreateMFByteStreamOnIStreamWithFlags630x140040134
            MFCreateMFByteStreamOnStream640x140020cf4
            MFCreateMFByteStreamOnStreamEx650x14001acdc
            MFCreateMFByteStreamWrapper660x14002ceb0
            MFCreateMFVideoFormatFromMFMediaType670x140015b88
            MFCreateMediaBufferFromMediaType680x140021b08
            MFCreateMediaBufferWrapper690x14003b218
            MFCreateMediaEvent700x14003759c
            MFCreateMediaEventResult710x140026f80
            MFCreateMediaExtensionActivate720x14002edc8
            MFCreateMediaExtensionActivateNoInit730x14001a92c
            MFCreateMediaExtensionAppServiceActivate740x140013124
            MFCreateMediaExtensionInprocActivate750x1400120d8
            MFCreateMediaType760x14002b764
            MFCreateMediaTypeFromProperties770x1400236d4
            MFCreateMediaTypeFromRepresentation780x14000eddc
            MFCreateMemoryBuffer790x140010e28
            MFCreateMemoryBufferFromRawBuffer800x140013c9c
            MFCreateMemoryStream810x140001f90
            MFCreateMuxStreamAttributes820x140004ed0
            MFCreateMuxStreamMediaType830x1400237c8
            MFCreateMuxStreamSample840x140039c6c
            MFCreateOOPMFTProxy850x14000803c
            MFCreateOOPMFTRemote860x14001d880
            MFCreatePathFromURL870x14001431c
            MFCreatePresentationDescriptor880x14000dfec
            MFCreatePropertiesFromMediaType890x140015cac
            MFCreateReusableByteStream900x1400342f4
            MFCreateReusableByteStreamWithSharedLock910x140006228
            MFCreateSample920x14002ade8
            MFCreateSecureBufferAllocator930x14001fe18
            MFCreateSharedMemoryMediaBufferFromMediaType940x140013928
            MFCreateSocket950x14000ec58
            MFCreateSocketListener960x140004150
            MFCreateSourceResolver970x14002bc38
            MFCreateSourceResolverInternal980x140009f04
            MFCreateStagingSurfaceWrapper990x14002760c
            MFCreateStreamDescriptor1000x1400095b0
            MFCreateStreamOnMFByteStream1010x1400047dc
            MFCreateStreamOnMFByteStreamEx1020x1400209a8
            MFCreateSystemTimeSource1030x140013f90
            MFCreateTelemetrySession1040x1400311fc
            MFCreateTempFile1050x14001f4f8
            MFCreateTrackedSample1060x14001b2d4
            MFCreateTransformActivate1070x1400134e4
            MFCreateURLFromPath1080x14000de7c
            MFCreateUdpSockets1090x14000599c
            MFCreateVideoDecryptorContext1100x140038d48
            MFCreateVideoMediaType1110x14002bd78
            MFCreateVideoMediaTypeFromBitMapInfoHeader1120x140024960
            MFCreateVideoMediaTypeFromBitMapInfoHeaderEx1130x1400108dc
            MFCreateVideoMediaTypeFromSubtype1140x14003f6e4
            MFCreateVideoMediaTypeFromVideoInfoHeader1150x140023e30
            MFCreateVideoMediaTypeFromVideoInfoHeader21160x14003cc5c
            MFCreateVideoSampleAllocatorEx1170x14003f4f8
            MFCreateWICBitmapBuffer1180x14003959c
            MFCreateWaveFormatExFromMFMediaType1190x1400028a8
            MFDeserializeAttributesFromStream1200x14003f5ec
            MFDeserializeEvent1210x140031a2c
            MFDeserializeMediaTypeFromStream1220x14003fbb0
            MFDeserializePresentationDescriptor1230x140018850
            MFEndCreateFile1240x140041600
            MFEndGetHostByName1250x14003cce0
            MFEndRegisterWorkQueueWithMMCSS1260x140011660
            MFEndUnregisterWorkQueueWithMMCSS1270x1400259e8
            MFEnumLocalMFTRegistrations20x140032120
            MFFrameRateToAverageTimePerFrame1280x14003df74
            MFFreeAdaptersAddresses1290x140014668
            MFGetAdaptersAddresses1300x14002e758
            MFGetAttributesAsBlob1310x14000f98c
            MFGetAttributesAsBlobSize1320x140005298
            MFGetCallStackTracingWeakReference1330x140008248
            MFGetConfigurationDWORD1340x140005e44
            MFGetConfigurationPolicy1350x14003c4d0
            MFGetConfigurationStore1360x140004f40
            MFGetConfigurationString1370x14003e5a8
            MFGetContentProtectionSystemCLSID1380x14003f36c
            MFGetMFTMerit1390x14003be78
            MFGetNumericNameFromSockaddr1400x14003f858
            MFGetPlaneSize1410x14000ce34
            MFGetPlatformFlags30x1400144b0
            MFGetPlatformVersion40x140032684
            MFGetPluginControl1420x1400375b4
            MFGetRandomNumber50x14000cac4
            MFGetSockaddrFromNumericName1430x140024734
            MFGetStrideForBitmapInfoHeader1440x1400093dc
            MFGetSupportedMimeTypes1450x140008058
            MFGetSupportedSchemes1460x14003994c
            MFGetSystemTime1470x140037848
            MFGetTimerPeriodicity1480x140027e10
            MFGetUncompressedVideoFormat1490x140023948
            MFGetWorkQueueMMCSSClass1500x1400401d0
            MFGetWorkQueueMMCSSPriority1510x14002c068
            MFGetWorkQueueMMCSSTaskId1520x14000df70
            MFHasLocallyRegisteredByteStreamHandlers1530x14003b970
            MFHasLocallyRegisteredSchemeHandlers1540x14003b048
            MFHeapAlloc1550x14002a870
            MFHeapFree1560x140039604
            MFInitAMMediaTypeFromMFMediaType1570x14001b2dc
            MFInitAttributesFromBlob1580x140002cfc
            MFInitMediaTypeFromAMMediaType1590x14001f3bc
            MFInitMediaTypeFromMFVideoFormat1600x14001cc8c
            MFInitMediaTypeFromMPEG1VideoInfo1610x140028804
            MFInitMediaTypeFromMPEG2VideoInfo1620x14001d8a4
            MFInitMediaTypeFromVideoInfoHeader1630x140001228
            MFInitMediaTypeFromVideoInfoHeader21640x14003ca9c
            MFInitMediaTypeFromWaveFormatEx1650x140017560
            MFInitVideoFormat1660x14002800c
            MFInitVideoFormat_RGB1670x140035508
            MFInvalidateMFTEnumCache1680x140008e9c
            MFInvokeCallback1690x1400183e4
            MFIsBottomUpFormat1700x1400017b8
            MFIsContentProtectionDeviceSupported1710x140027e70
            MFIsFeatureEnabled60x140007164
            MFIsLocallyRegisteredMimeType1720x140013f84
            MFIsLocallyRegisteredSchemeHandler1730x140023170
            MFJoinWorkQueue1740x140015418
            MFLockDXGIDeviceManager1750x14002f0c8
            MFLockPlatform1760x14003343c
            MFLockSharedWorkQueue1770x140035470
            MFLockWorkQueue1780x140028bd4
            MFMapDX9FormatToDXGIFormat1790x14002dcd0
            MFMapDXGIFormatToDX9Format1800x14002a9d0
            MFPlatformBigEndian70x14003bd5c
            MFPlatformLittleEndian80x14000c594
            MFPutWaitingWorkItem1810x14000f270
            MFPutWorkItem1820x14002591c
            MFPutWorkItem21830x140020994
            MFPutWorkItemEx1840x14002fc94
            MFPutWorkItemEx21850x14002e2c0
            MFRegisterLocalByteStreamHandler1860x14002c8ec
            MFRegisterLocalSchemeHandler1870x14003e4fc
            MFRegisterPlatformWithMMCSS1880x14000b464
            MFRemovePeriodicCallback1890x140029818
            MFScheduleWorkItem1900x140038778
            MFScheduleWorkItemEx1910x140029e00
            MFSerializeAttributesToStream1920x140003a7c
            MFSerializeEvent1930x1400055c0
            MFSerializeMediaTypeToStream1940x140025604
            MFSerializePresentationDescriptor1950x14002da30
            MFSetMinimumMemoryAlignment1960x140021474
            MFSetSockaddrAny1970x140030224
            MFSetWindowForContentProtection1980x140026ac0
            MFShutdown1990x14000375c
            MFStartup2000x14000db00
            MFStreamDescriptorProtectMediaType2010x14002e870
            MFTEnum2020x14002542c
            MFTEnum22030x14003a0ec
            MFTEnumEx2040x140039528
            MFTGetInfo2050x140028b98
            MFTRegister2060x14000fae4
            MFTRegisterLocal2070x14000fab8
            MFTRegisterLocalByCLSID2080x140040374
            MFTUnregister2090x14003be90
            MFTUnregisterLocal2100x140030524
            MFTUnregisterLocalByCLSID2110x140013470
            MFTraceError2120x140007cd8
            MFTraceFuncEnter2130x14002d694
            MFUnjoinWorkQueue2140x140033fcc
            MFUnlockDXGIDeviceManager2150x1400180a4
            MFUnlockPlatform2160x140032b68
            MFUnlockWorkQueue2170x140004918
            MFUnregisterPlatformFromMMCSS2180x14003c798
            MFUnwrapMediaType2190x14002ed44
            MFValidateMediaTypeSize2200x14002f3f4
            MFWrapMediaType2210x14000d5f0
            MFWrapSocket2220x14000f674
            MFllMulDiv2230x140026014
            PropVariantFromStream2240x140023bb4
            PropVariantToStream2250x140022310
            ValidateWaveFormat90x140036380

            Version Infos

            DescriptionData
            LegalCopyright Microsoft Corporation. All rights reserv
            InternalNamebitsp
            FileVersion7.5.7600.16385 (win7_rtm.090713-
            CompanyNameMicrosoft Corporati
            ProductNameMicrosoft Windows Operating S
            ProductVersion6.1.7600
            FileDescriptionBackground Intellig
            OriginalFilenamekbdy
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 28, 2021 10:52:18.943373919 CEST4925753192.168.2.48.8.8.8
            Sep 28, 2021 10:52:18.971746922 CEST53492578.8.8.8192.168.2.4
            Sep 28, 2021 10:52:48.730741024 CEST6238953192.168.2.48.8.8.8
            Sep 28, 2021 10:52:48.778919935 CEST53623898.8.8.8192.168.2.4
            Sep 28, 2021 10:52:49.734600067 CEST4991053192.168.2.48.8.8.8
            Sep 28, 2021 10:52:49.776108980 CEST53499108.8.8.8192.168.2.4
            Sep 28, 2021 10:52:50.722290993 CEST5585453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:50.767255068 CEST53558548.8.8.8192.168.2.4
            Sep 28, 2021 10:52:51.199672937 CEST6454953192.168.2.48.8.8.8
            Sep 28, 2021 10:52:51.219640970 CEST53645498.8.8.8192.168.2.4
            Sep 28, 2021 10:52:52.351464033 CEST6315353192.168.2.48.8.8.8
            Sep 28, 2021 10:52:52.388010979 CEST53631538.8.8.8192.168.2.4
            Sep 28, 2021 10:52:53.905107021 CEST5299153192.168.2.48.8.8.8
            Sep 28, 2021 10:52:53.928014994 CEST53529918.8.8.8192.168.2.4
            Sep 28, 2021 10:52:55.017039061 CEST5370053192.168.2.48.8.8.8
            Sep 28, 2021 10:52:55.034552097 CEST53537008.8.8.8192.168.2.4
            Sep 28, 2021 10:52:56.528999090 CEST5172653192.168.2.48.8.8.8
            Sep 28, 2021 10:52:56.557730913 CEST53517268.8.8.8192.168.2.4
            Sep 28, 2021 10:52:57.504981995 CEST5679453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:57.524214029 CEST53567948.8.8.8192.168.2.4
            Sep 28, 2021 10:52:58.911386013 CEST5653453192.168.2.48.8.8.8
            Sep 28, 2021 10:52:58.930448055 CEST53565348.8.8.8192.168.2.4
            Sep 28, 2021 10:52:59.624475002 CEST5662753192.168.2.48.8.8.8
            Sep 28, 2021 10:52:59.649210930 CEST53566278.8.8.8192.168.2.4
            Sep 28, 2021 10:53:05.142904043 CEST5662153192.168.2.48.8.8.8
            Sep 28, 2021 10:53:05.164335966 CEST53566218.8.8.8192.168.2.4
            Sep 28, 2021 10:53:36.910737991 CEST6311653192.168.2.48.8.8.8
            Sep 28, 2021 10:53:36.938954115 CEST53631168.8.8.8192.168.2.4
            Sep 28, 2021 10:53:42.748037100 CEST6407853192.168.2.48.8.8.8
            Sep 28, 2021 10:53:42.788958073 CEST53640788.8.8.8192.168.2.4
            Sep 28, 2021 10:53:43.717382908 CEST6480153192.168.2.48.8.8.8
            Sep 28, 2021 10:53:43.754420996 CEST53648018.8.8.8192.168.2.4

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6272 Parent PID: 6460

            General

            Start time:10:51:52
            Start date:28/09/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll'
            Imagebase:0x7ff690cb0000
            File size:140288 bytes
            MD5 hash:A84133CCB118CF35D49A423CD836D0EF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.826268433.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: cmd.exe PID: 2600 Parent PID: 6272

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Imagebase:0x7ff622070000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 900 Parent PID: 6272

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CopyPropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.760994382.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 1444 Parent PID: 2600

            General

            Start time:10:51:53
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe 'C:\Users\user\Desktop\3PgaI7gtQn.dll',#1
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.666186606.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 3424 Parent PID: 900

            General

            Start time:10:51:54
            Start date:28/09/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff6fee60000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 2824 Parent PID: 6272

            General

            Start time:10:51:56
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.673965568.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 1572 Parent PID: 6272

            General

            Start time:10:52:00
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,CreatePropertyStore
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.681251793.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 5184 Parent PID: 6272

            General

            Start time:10:52:03
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,DestroyPropVariant
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.688453025.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 2872 Parent PID: 6272

            General

            Start time:10:52:07
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,FormatTagFromWfx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.698430783.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 6116 Parent PID: 6272

            General

            Start time:10:52:10
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetAMSubtypeFromD3DFormat
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.703548461.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 7164 Parent PID: 6272

            General

            Start time:10:52:14
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,GetD3DFormatFromMFSubtype
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000B.00000002.710759124.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 5560 Parent PID: 6272

            General

            Start time:10:52:17
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAddPeriodicCallback
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.718583222.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 5568 Parent PID: 6272

            General

            Start time:10:52:21
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateSerialWorkQueue
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.726244001.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 4100 Parent PID: 6272

            General

            Start time:10:52:24
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueue
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.733013846.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 3416 Parent PID: 6272

            General

            Start time:10:52:28
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAllocateWorkQueueEx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.741881097.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 6764 Parent PID: 6272

            General

            Start time:10:52:32
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAppendCollection
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.749401860.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 6704 Parent PID: 6272

            General

            Start time:10:52:35
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFAverageTimePerFrameToFrameRate
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.756539402.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 6700 Parent PID: 6272

            General

            Start time:10:52:38
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginCreateFile
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.820144134.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: bdeunlock.exe PID: 3976 Parent PID: 3424

            General

            Start time:10:52:40
            Start date:28/09/2021
            Path:C:\Windows\System32\bdeunlock.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\bdeunlock.exe
            Imagebase:0x7ff6563e0000
            File size:286232 bytes
            MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Analysis Process: rundll32.exe PID: 4200 Parent PID: 6272

            General

            Start time:10:52:42
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginGetHostByName
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.776537982.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: bdeunlock.exe PID: 2912 Parent PID: 3424

            General

            Start time:10:52:46
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\bnfeSWnf\bdeunlock.exe
            Imagebase:0x7ff77b970000
            File size:286232 bytes
            MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.783009139.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: rundll32.exe PID: 2464 Parent PID: 6272

            General

            Start time:10:52:47
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSS
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.783658899.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: CameraSettingsUIHost.exe PID: 6660 Parent PID: 3424

            General

            Start time:10:52:50
            Start date:28/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff72c230000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Analysis Process: rundll32.exe PID: 6832 Parent PID: 6272

            General

            Start time:10:52:51
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginRegisterWorkQueueWithMMCSSEx
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.794067616.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: CameraSettingsUIHost.exe PID: 6744 Parent PID: 3424

            General

            Start time:10:52:55
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\43ip\CameraSettingsUIHost.exe
            Imagebase:0x7ff7fd010000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.800645636.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs

            Analysis Process: rundll32.exe PID: 1492 Parent PID: 6272

            General

            Start time:10:52:55
            Start date:28/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\3PgaI7gtQn.dll,MFBeginUnregisterWorkQueueWithMMCSS
            Imagebase:0x7ff6d7cd0000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.802131007.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: pwcreator.exe PID: 1848 Parent PID: 3424

            General

            Start time:10:52:58
            Start date:28/09/2021
            Path:C:\Windows\System32\pwcreator.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\pwcreator.exe
            Imagebase:0x7ff7f0e90000
            File size:800768 bytes
            MD5 hash:BF33FA218E0B4F6AEC77616BE0F5DD9D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Analysis Process: pwcreator.exe PID: 4984 Parent PID: 3424

            General

            Start time:10:52:58
            Start date:28/09/2021
            Path:C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\NfgW4al\pwcreator.exe
            Imagebase:0x7ff647f70000
            File size:800768 bytes
            MD5 hash:BF33FA218E0B4F6AEC77616BE0F5DD9D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.812206472.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, ReversingLabs

            Disassembly

            Code Analysis

            Reset < >