Windows Analysis Report P7n0h6OhYp

Overview

General Information

Sample Name: P7n0h6OhYp (renamed file extension from none to dll)
Analysis ID: 492431
MD5: 718a7d9b1fe55a72cfa586e869236df8
SHA1: 5d870aeb7951ab6af0900ba837924f79e3716936
SHA256: d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
PE file contains more sections than normal
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to create restore points
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: P7n0h6OhYp.dll Virustotal: Detection: 65% Perma Link
Source: P7n0h6OhYp.dll Metadefender: Detection: 60% Perma Link
Source: P7n0h6OhYp.dll ReversingLabs: Detection: 75%
Antivirus / Scanner detection for submitted sample
Source: P7n0h6OhYp.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NNw\DUser.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\ocY6\WINMM.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\A7mgbJ\dpx.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLL Avira: detection malicious, Label: HEUR/AGEN.1114452

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D88F8 CryptHashData, 26_2_00007FF7A35D88F8
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D874C CryptHashData, 26_2_00007FF7A35D874C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D8534 CryptDestroyHash,CryptReleaseContext, 26_2_00007FF7A35D8534
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D8610 CryptGetHashParam,memset, 26_2_00007FF7A35D8610
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D8598 CryptAcquireContextW,CryptCreateHash, 26_2_00007FF7A35D8598
Source: P7n0h6OhYp.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: lpksetup.pdbGCTL source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
Source: Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
Source: Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
Source: Binary string: irftp.pdbGCTL source: irftp.exe.6.dr
Source: Binary string: MFPMP.pdb source: mfpmp.exe.6.dr
Source: Binary string: Narrator.pdb source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe.6.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe.6.dr
Source: Binary string: DXGIAdapterCache.pdbGCTL source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
Source: Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
Source: Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
Source: Binary string: SystemSettingsRemoveDevice.pdbGCTL source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
Source: Binary string: Narrator.pdbGCTL source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe.6.dr
Source: Binary string: DXGIAdapterCache.pdb source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
Source: Binary string: lpksetup.pdb source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
Source: Binary string: SystemSettingsRemoveDevice.pdb source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
Source: Binary string: irftp.pdb source: irftp.exe.6.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5FC24 SetLastError,malloc,PathCchCombine,FindFirstFileW,GetLastError,free,malloc,PathCchCombine,DeleteFileW,FindNextFileW,RemoveDirectoryW,free,FindClose, 34_2_00007FF75CA5FC24
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA65828 memset,PathCchCombine,memset,FindFirstFileW,PathCchCombine,PathFindExtensionW,_wcsicmp,_wcsicmp,_wcsicmp,PathCchCombine,free,free,free,free,FindNextFileW,FindClose, 34_2_00007FF75CA65828
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A5F30 #12,GetSystemMetrics,GetSystemMetrics,CreateRectRgn,GetDCEx,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SetStretchBltMode,StretchBlt,CoCreateInstance,DeleteObject,DeleteDC,DeleteDC,DeleteObject, 37_2_00007FF69A2A5F30
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A36145E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task, 26_2_00007FF7A36145E0
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2C008C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput, 37_2_00007FF69A2C008C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A7FDC BlockInput,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,BlockInput, 37_2_00007FF69A2A7FDC

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000018.00000002.383288122.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.410742595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.324777282.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.514121758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.543009513.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.449151118.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.247365585.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.254598295.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.261507768.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.267714415.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.476637367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.354057356.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4DD98 GetLastError,ImageList_Destroy,FreeLibrary,FreeLibrary,ExitWindowsEx,GetLastError,free,SetLastError,ExitProcess, 34_2_00007FF75CA4DD98
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034870 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035270 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140065B80 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400524B0 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026CC0 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004BD40 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400495B0 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036F30 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069010 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001010 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140066020 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F840 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D850 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064080 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140010880 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400688A0 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D0D0 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400018D0 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016100 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D100 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A110 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D910 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140015120 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000B120 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F940 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140039140 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023140 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057950 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001E170 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140002980 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400611A0 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400389A0 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400381A0 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E1B0 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400139D0 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400319F0 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EA00 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022A00 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003B220 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140067A40 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069A50 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007A60 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003AAC0 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A2E0 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140062B00 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018300 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FB20 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031340 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022340 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017B40 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000BB40 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004EB60 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005370 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002CB80 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B390 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140054BA0 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033BB0 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400263C0 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400123C0 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063BD0 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400663F0 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023BF0 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B41B 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B424 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B42D 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B436 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B43D 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024440 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005C40 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B446 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005F490 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022D00 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035520 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019D20 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030530 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023530 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031540 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033540 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014007BD50 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140078570 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019580 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400205A0 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025DB0 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140071DC0 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000C5C0 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002DDE0 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031DF0 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000DDF0 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001620 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018630 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032650 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064E80 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016E80 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007EA0 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400286B0 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006EB0 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400276C0 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FEC0 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EED0 1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002B6E0 1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053F20 1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022730 1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029780 1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018F80 1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003EFB0 1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400067B0 1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400667D0 1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140060FE0 1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B2BA0 21_2_00007FF73A1B2BA0
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B22B0 21_2_00007FF73A1B22B0
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC572C0 24_2_00007FF64DC572C0
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC53400 24_2_00007FF64DC53400
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC54DD4 24_2_00007FF64DC54DD4
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC53D9C 24_2_00007FF64DC53D9C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35A43B8 26_2_00007FF7A35A43B8
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35BA250 26_2_00007FF7A35BA250
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A359E224 26_2_00007FF7A359E224
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35FC2D8 26_2_00007FF7A35FC2D8
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35F4198 26_2_00007FF7A35F4198
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35F21AC 26_2_00007FF7A35F21AC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35B21AC 26_2_00007FF7A35B21AC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D48C0 26_2_00007FF7A35D48C0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3610728 26_2_00007FF7A3610728
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A357E7FC 26_2_00007FF7A357E7FC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3589AF0 26_2_00007FF7A3589AF0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A357A7EC 26_2_00007FF7A357A7EC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A36247E5 26_2_00007FF7A36247E5
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35E0644 26_2_00007FF7A35E0644
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D0620 26_2_00007FF7A35D0620
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35AE560 26_2_00007FF7A35AE560
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35C253C 26_2_00007FF7A35C253C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A36145E0 26_2_00007FF7A36145E0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DA5D0 26_2_00007FF7A35DA5D0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3600C44 26_2_00007FF7A3600C44
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35AED00 26_2_00007FF7A35AED00
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DCCFC 26_2_00007FF7A35DCCFC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3594CDC 26_2_00007FF7A3594CDC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35C6948 26_2_00007FF7A35C6948
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35D89F4 26_2_00007FF7A35D89F4
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360A998 26_2_00007FF7A360A998
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360D010 26_2_00007FF7A360D010
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DAFF0 26_2_00007FF7A35DAFF0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360EE40 26_2_00007FF7A360EE40
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35C8F14 26_2_00007FF7A35C8F14
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35FED90 26_2_00007FF7A35FED90
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35F4DD0 26_2_00007FF7A35F4DD0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35C9484 26_2_00007FF7A35C9484
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3617460 26_2_00007FF7A3617460
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DB454 26_2_00007FF7A35DB454
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360137C 26_2_00007FF7A360137C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35A3260 26_2_00007FF7A35A3260
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35EB26C 26_2_00007FF7A35EB26C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35A72C8 26_2_00007FF7A35A72C8
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3605190 26_2_00007FF7A3605190
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360B14C 26_2_00007FF7A360B14C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35FB124 26_2_00007FF7A35FB124
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360D788 26_2_00007FF7A360D788
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361D7A2 26_2_00007FF7A361D7A2
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DD6B0 26_2_00007FF7A35DD6B0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361FC59 26_2_00007FF7A361FC59
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35ADC44 26_2_00007FF7A35ADC44
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35FBD14 26_2_00007FF7A35FBD14
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361DB6C 26_2_00007FF7A361DB6C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3607A20 26_2_00007FF7A3607A20
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35E1AD4 26_2_00007FF7A35E1AD4
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35FF920 26_2_00007FF7A35FF920
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A357B928 26_2_00007FF7A357B928
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35E7A00 26_2_00007FF7A35E7A00
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A357A058 26_2_00007FF7A357A058
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A360BF88 26_2_00007FF7A360BF88
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361BFEC 26_2_00007FF7A361BFEC
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35DBE58 26_2_00007FF7A35DBE58
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35E5F08 26_2_00007FF7A35E5F08
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3573D38 26_2_00007FF7A3573D38
Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Code function: 30_2_00007FF6C5E63708 30_2_00007FF6C5E63708
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA90DAE 34_2_00007FF75CA90DAE
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA64FFC 34_2_00007FF75CA64FFC
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4C0E8 34_2_00007FF75CA4C0E8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4D0F0 34_2_00007FF75CA4D0F0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4B040 34_2_00007FF75CA4B040
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4CAA0 34_2_00007FF75CA4CAA0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4BB10 34_2_00007FF75CA4BB10
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA25610 34_2_00007FF75CA25610
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA675F8 34_2_00007FF75CA675F8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA236D4 34_2_00007FF75CA236D4
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA296C4 34_2_00007FF75CA296C4
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4F7C8 34_2_00007FF75CA4F7C8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA6373C 34_2_00007FF75CA6373C
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4E738 34_2_00007FF75CA4E738
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5E718 34_2_00007FF75CA5E718
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA931B6 34_2_00007FF75CA931B6
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA731E8 34_2_00007FF75CA731E8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4A120 34_2_00007FF75CA4A120
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA67194 34_2_00007FF75CA67194
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA602F8 34_2_00007FF75CA602F8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA2B248 34_2_00007FF75CA2B248
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5023C 34_2_00007FF75CA5023C
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5C290 34_2_00007FF75CA5C290
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA66284 34_2_00007FF75CA66284
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4B3A0 34_2_00007FF75CA4B3A0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5E380 34_2_00007FF75CA5E380
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA62370 34_2_00007FF75CA62370
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA414D0 34_2_00007FF75CA414D0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4F49C 34_2_00007FF75CA4F49C
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA634F0 34_2_00007FF75CA634F0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5141C 34_2_00007FF75CA5141C
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA7248C 34_2_00007FF75CA7248C
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA25490 34_2_00007FF75CA25490
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA4C490 34_2_00007FF75CA4C490
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2B1374 37_2_00007FF69A2B1374
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AD380 37_2_00007FF69A2AD380
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A33C8 37_2_00007FF69A2A33C8
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2BEC64 37_2_00007FF69A2BEC64
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2BB93C 37_2_00007FF69A2BB93C
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2ABA60 37_2_00007FF69A2ABA60
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A7FDC 37_2_00007FF69A2A7FDC
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2B0FC0 37_2_00007FF69A2B0FC0
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AE7C0 37_2_00007FF69A2AE7C0
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AFFC0 37_2_00007FF69A2AFFC0
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A385C 37_2_00007FF69A2A385C
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AD844 37_2_00007FF69A2AD844
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A40A8 37_2_00007FF69A2A40A8
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AC540 37_2_00007FF69A2AC540
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A5630 37_2_00007FF69A2A5630
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AB660 37_2_00007FF69A2AB660
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2C3E3C 37_2_00007FF69A2C3E3C
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A7ED4 37_2_00007FF69A2A7ED4
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A5F30 37_2_00007FF69A2A5F30
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Code function: 39_2_00007FF6399546D8 39_2_00007FF6399546D8
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Code function: 39_2_00007FF639953E8C 39_2_00007FF639953E8C
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C1E94 41_2_00007FF7635C1E94
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C4A20 41_2_00007FF7635C4A20
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C44E0 41_2_00007FF7635C44E0
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C1778 41_2_00007FF7635C1778
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C3B58 41_2_00007FF7635C3B58
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C3168 41_2_00007FF7635C3168
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: String function: 00007FF75CA24DC0 appears 90 times
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: String function: 00007FF75CA47A04 appears 234 times
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: String function: 00007FF7A35862E4 appears 62 times
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: String function: 00007FF7A3616AD8 appears 230 times
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: String function: 00007FF7A3576894 appears 49 times
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: String function: 00007FF7A3574D68 appears 192 times
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: String function: 00007FF7A35732F8 appears 394 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140046C90 NtClose, 1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 NtQuerySystemInformation, 1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC54280 NtClose, 24_2_00007FF64DC54280
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC53400 GetLastError,NtClose,SetLastError,NtCreateTransaction,GetLastError,RegCloseKey,SetLastError,RegCreateKeyTransactedW,GetSystemTimeAsFileTime,RegGetValueW,RegGetValueW,RegGetValueW,RegGetValueW,RegGetValueW,RegOpenKeyTransactedW,RegGetValueW,RegGetValueW,GetLastError,RegCloseKey,SetLastError,RegDeleteTreeW,RegCloseKey,RegEnumKeyW,RegDeleteTreeW,RegSetValueExW, 24_2_00007FF64DC53400
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35E6C44 RtlInitUnicodeString,NtQueryLicenseValue, 26_2_00007FF7A35E6C44
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 26_2_00007FF7A361A9CC
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5C6D8 NtIsUILanguageComitted,SetLastError,RegCloseKey,free,free,free,free,free,GetSystemDefaultUILanguage,EnumUILanguagesW,RegOpenKeyExW,SetLastError,RegEnumKeyExW,free,RegEnumKeyExW,LocaleNameToLCID,RegDeleteKeyW,_CxxThrowException, 34_2_00007FF75CA5C6D8
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5C664 NtGetMUIRegistryInfo,RtlNtStatusToDosError,SetLastError, 34_2_00007FF75CA5C664
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2A9330 NtQueryWnfStateData, 37_2_00007FF69A2A9330
PE file contains executable resources (Code or Archives)
Source: irftp.exe.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: P7n0h6OhYp.dll Binary or memory string: OriginalFilenamekbdyj% vs P7n0h6OhYp.dll
PE file contains strange resources
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lpksetup.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
PE file contains more sections than normal
Source: DUI70.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: DUI70.dll0.6.dr Static PE information: Number of sections : 35 > 10
Source: MFPlat.DLL.6.dr Static PE information: Number of sections : 35 > 10
Source: WINSTA.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: P7n0h6OhYp.dll Static PE information: Number of sections : 34 > 10
Source: dxgi.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: WINMM.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: SYSDM.CPL.6.dr Static PE information: Number of sections : 35 > 10
Source: UxTheme.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: DUser.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: dpx.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: MFC42u.dll.6.dr Static PE information: Number of sections : 35 > 10
Source: P7n0h6OhYp.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dxgi.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUser.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFPlat.DLL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: P7n0h6OhYp.dll Virustotal: Detection: 65%
Source: P7n0h6OhYp.dll Metadefender: Detection: 60%
Source: P7n0h6OhYp.dll ReversingLabs: Detection: 75%
Source: P7n0h6OhYp.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dxgiadaptercache.exe C:\Windows\system32\dxgiadaptercache.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Narrator.exe C:\Windows\system32\Narrator.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ocY6\Narrator.exe C:\Users\user\AppData\Local\ocY6\Narrator.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NNw\sessionmsg.exe C:\Users\user\AppData\Local\NNw\sessionmsg.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dxgiadaptercache.exe C:\Windows\system32\dxgiadaptercache.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Narrator.exe C:\Windows\system32\Narrator.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ocY6\Narrator.exe C:\Users\user\AppData\Local\ocY6\Narrator.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NNw\sessionmsg.exe C:\Users\user\AppData\Local\NNw\sessionmsg.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5FF90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,PrivilegeCheck,AdjustTokenPrivileges,CloseHandle, 34_2_00007FF75CA5FF90
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: irftp.exe.6.dr Binary string: \Device\IrDAIrDA:TinyTP:LsapSelOBEX:IrXferOBEXControl Panel\InfraredControl Panel\Infrared\GlobalControl Panel\Infrared\IrTranPAllowSendShowTrayIconPlaySoundRecvdFilesLocationDisableIrTranPv1DisableIrCOMMExploreOnCompletionSaveAsUPFireventsIrMon: ReadUserPreferences::Failed to init sockets
Source: classification engine Classification label: mal92.troj.evad.winDLL@49/23@0/0
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B3304 CoCreateInstance, 21_2_00007FF73A1B3304
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5DF98 GetWindowsDirectoryW,GetDiskFreeSpaceExW, 34_2_00007FF75CA5DF98
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B41EC LoadStringW,GetLastError,LoadStringW,GetLastError,FormatMessageW,GetLastError,WinStationSendMessageW,GetLastError,LocalFree, 21_2_00007FF73A1B41EC
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Mutant created: \Sessions\1\BaseNamedObjects\{70b75cb9-af4b-9a47-ae32-704b6f5b30ba}
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Mutant created: \Sessions\1\BaseNamedObjects\{abf78926-7d38-5169-88a8-6fd0cc7b22f5}
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35CB70C FindResourceW,LoadResource,LockResource,SizeofResource, 26_2_00007FF7A35CB70C
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: P7n0h6OhYp.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: P7n0h6OhYp.dll Static file information: File size 1220608 > 1048576
Source: P7n0h6OhYp.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: lpksetup.pdbGCTL source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
Source: Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
Source: Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
Source: Binary string: irftp.pdbGCTL source: irftp.exe.6.dr
Source: Binary string: MFPMP.pdb source: mfpmp.exe.6.dr
Source: Binary string: Narrator.pdb source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe.6.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe.6.dr
Source: Binary string: DXGIAdapterCache.pdbGCTL source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
Source: Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
Source: Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
Source: Binary string: SystemSettingsRemoveDevice.pdbGCTL source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
Source: Binary string: Narrator.pdbGCTL source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe.6.dr
Source: Binary string: DXGIAdapterCache.pdb source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
Source: Binary string: lpksetup.pdb source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
Source: Binary string: SystemSettingsRemoveDevice.pdb source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
Source: Binary string: irftp.pdb source: irftp.exe.6.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140056A4D push rdi; ret 1_2_0000000140056A4E
PE file contains sections with non-standard names
Source: P7n0h6OhYp.dll Static PE information: section name: .qkm
Source: P7n0h6OhYp.dll Static PE information: section name: .cvjb
Source: P7n0h6OhYp.dll Static PE information: section name: .tlmkv
Source: P7n0h6OhYp.dll Static PE information: section name: .wucsxe
Source: P7n0h6OhYp.dll Static PE information: section name: .wnx
Source: P7n0h6OhYp.dll Static PE information: section name: .weqy
Source: P7n0h6OhYp.dll Static PE information: section name: .yby
Source: P7n0h6OhYp.dll Static PE information: section name: .ormx
Source: P7n0h6OhYp.dll Static PE information: section name: .dhclu
Source: P7n0h6OhYp.dll Static PE information: section name: .xmiul
Source: P7n0h6OhYp.dll Static PE information: section name: .tlwcxe
Source: P7n0h6OhYp.dll Static PE information: section name: .get
Source: P7n0h6OhYp.dll Static PE information: section name: .hzrd
Source: P7n0h6OhYp.dll Static PE information: section name: .qzu
Source: P7n0h6OhYp.dll Static PE information: section name: .tbbd
Source: P7n0h6OhYp.dll Static PE information: section name: .shoovi
Source: P7n0h6OhYp.dll Static PE information: section name: .wbmgl
Source: P7n0h6OhYp.dll Static PE information: section name: .aobcn
Source: P7n0h6OhYp.dll Static PE information: section name: .xdno
Source: P7n0h6OhYp.dll Static PE information: section name: .ipsw
Source: P7n0h6OhYp.dll Static PE information: section name: .cqpqq
Source: P7n0h6OhYp.dll Static PE information: section name: .skzqoj
Source: P7n0h6OhYp.dll Static PE information: section name: .nvjg
Source: P7n0h6OhYp.dll Static PE information: section name: .bbt
Source: P7n0h6OhYp.dll Static PE information: section name: .wsg
Source: P7n0h6OhYp.dll Static PE information: section name: .vqdhza
Source: P7n0h6OhYp.dll Static PE information: section name: .mgf
Source: P7n0h6OhYp.dll Static PE information: section name: .xusvuv
Source: GamePanel.exe.6.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.6.dr Static PE information: section name: .didat
Source: SystemSettingsRemoveDevice.exe.6.dr Static PE information: section name: .imrsiv
Source: WindowsActionDialog.exe.6.dr Static PE information: section name: .imrsiv
Source: sessionmsg.exe.6.dr Static PE information: section name: .imrsiv
Source: mfpmp.exe.6.dr Static PE information: section name: .didat
Source: WINSTA.dll.6.dr Static PE information: section name: .qkm
Source: WINSTA.dll.6.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.6.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.6.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.6.dr Static PE information: section name: .wnx
Source: WINSTA.dll.6.dr Static PE information: section name: .weqy
Source: WINSTA.dll.6.dr Static PE information: section name: .yby
Source: WINSTA.dll.6.dr Static PE information: section name: .ormx
Source: WINSTA.dll.6.dr Static PE information: section name: .dhclu
Source: WINSTA.dll.6.dr Static PE information: section name: .xmiul
Source: WINSTA.dll.6.dr Static PE information: section name: .tlwcxe
Source: WINSTA.dll.6.dr Static PE information: section name: .get
Source: WINSTA.dll.6.dr Static PE information: section name: .hzrd
Source: WINSTA.dll.6.dr Static PE information: section name: .qzu
Source: WINSTA.dll.6.dr Static PE information: section name: .tbbd
Source: WINSTA.dll.6.dr Static PE information: section name: .shoovi
Source: WINSTA.dll.6.dr Static PE information: section name: .wbmgl
Source: WINSTA.dll.6.dr Static PE information: section name: .aobcn
Source: WINSTA.dll.6.dr Static PE information: section name: .xdno
Source: WINSTA.dll.6.dr Static PE information: section name: .ipsw
Source: WINSTA.dll.6.dr Static PE information: section name: .cqpqq
Source: WINSTA.dll.6.dr Static PE information: section name: .skzqoj
Source: WINSTA.dll.6.dr Static PE information: section name: .nvjg
Source: WINSTA.dll.6.dr Static PE information: section name: .bbt
Source: WINSTA.dll.6.dr Static PE information: section name: .wsg
Source: WINSTA.dll.6.dr Static PE information: section name: .vqdhza
Source: WINSTA.dll.6.dr Static PE information: section name: .mgf
Source: WINSTA.dll.6.dr Static PE information: section name: .xusvuv
Source: WINSTA.dll.6.dr Static PE information: section name: .vhvcw
Source: dxgi.dll.6.dr Static PE information: section name: .qkm
Source: dxgi.dll.6.dr Static PE information: section name: .cvjb
Source: dxgi.dll.6.dr Static PE information: section name: .tlmkv
Source: dxgi.dll.6.dr Static PE information: section name: .wucsxe
Source: dxgi.dll.6.dr Static PE information: section name: .wnx
Source: dxgi.dll.6.dr Static PE information: section name: .weqy
Source: dxgi.dll.6.dr Static PE information: section name: .yby
Source: dxgi.dll.6.dr Static PE information: section name: .ormx
Source: dxgi.dll.6.dr Static PE information: section name: .dhclu
Source: dxgi.dll.6.dr Static PE information: section name: .xmiul
Source: dxgi.dll.6.dr Static PE information: section name: .tlwcxe
Source: dxgi.dll.6.dr Static PE information: section name: .get
Source: dxgi.dll.6.dr Static PE information: section name: .hzrd
Source: dxgi.dll.6.dr Static PE information: section name: .qzu
Source: dxgi.dll.6.dr Static PE information: section name: .tbbd
Source: dxgi.dll.6.dr Static PE information: section name: .shoovi
Source: dxgi.dll.6.dr Static PE information: section name: .wbmgl
Source: dxgi.dll.6.dr Static PE information: section name: .aobcn
Source: dxgi.dll.6.dr Static PE information: section name: .xdno
Source: dxgi.dll.6.dr Static PE information: section name: .ipsw
Source: dxgi.dll.6.dr Static PE information: section name: .cqpqq
Source: dxgi.dll.6.dr Static PE information: section name: .skzqoj
Source: dxgi.dll.6.dr Static PE information: section name: .nvjg
Source: dxgi.dll.6.dr Static PE information: section name: .bbt
Source: dxgi.dll.6.dr Static PE information: section name: .wsg
Source: dxgi.dll.6.dr Static PE information: section name: .vqdhza
Source: dxgi.dll.6.dr Static PE information: section name: .mgf
Source: dxgi.dll.6.dr Static PE information: section name: .xusvuv
Source: dxgi.dll.6.dr Static PE information: section name: .gcgbes
Source: UxTheme.dll.6.dr Static PE information: section name: .qkm
Source: UxTheme.dll.6.dr Static PE information: section name: .cvjb
Source: UxTheme.dll.6.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll.6.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll.6.dr Static PE information: section name: .wnx
Source: UxTheme.dll.6.dr Static PE information: section name: .weqy
Source: UxTheme.dll.6.dr Static PE information: section name: .yby
Source: UxTheme.dll.6.dr Static PE information: section name: .ormx
Source: UxTheme.dll.6.dr Static PE information: section name: .dhclu
Source: UxTheme.dll.6.dr Static PE information: section name: .xmiul
Source: UxTheme.dll.6.dr Static PE information: section name: .tlwcxe
Source: UxTheme.dll.6.dr Static PE information: section name: .get
Source: UxTheme.dll.6.dr Static PE information: section name: .hzrd
Source: UxTheme.dll.6.dr Static PE information: section name: .qzu
Source: UxTheme.dll.6.dr Static PE information: section name: .tbbd
Source: UxTheme.dll.6.dr Static PE information: section name: .shoovi
Source: UxTheme.dll.6.dr Static PE information: section name: .wbmgl
Source: UxTheme.dll.6.dr Static PE information: section name: .aobcn
Source: UxTheme.dll.6.dr Static PE information: section name: .xdno
Source: UxTheme.dll.6.dr Static PE information: section name: .ipsw
Source: UxTheme.dll.6.dr Static PE information: section name: .cqpqq
Source: UxTheme.dll.6.dr Static PE information: section name: .skzqoj
Source: UxTheme.dll.6.dr Static PE information: section name: .nvjg
Source: UxTheme.dll.6.dr Static PE information: section name: .bbt
Source: UxTheme.dll.6.dr Static PE information: section name: .wsg
Source: UxTheme.dll.6.dr Static PE information: section name: .vqdhza
Source: UxTheme.dll.6.dr Static PE information: section name: .mgf
Source: UxTheme.dll.6.dr Static PE information: section name: .xusvuv
Source: UxTheme.dll.6.dr Static PE information: section name: .xwee
Source: DUI70.dll.6.dr Static PE information: section name: .qkm
Source: DUI70.dll.6.dr Static PE information: section name: .cvjb
Source: DUI70.dll.6.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.6.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.6.dr Static PE information: section name: .wnx
Source: DUI70.dll.6.dr Static PE information: section name: .weqy
Source: DUI70.dll.6.dr Static PE information: section name: .yby
Source: DUI70.dll.6.dr Static PE information: section name: .ormx
Source: DUI70.dll.6.dr Static PE information: section name: .dhclu
Source: DUI70.dll.6.dr Static PE information: section name: .xmiul
Source: DUI70.dll.6.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll.6.dr Static PE information: section name: .get
Source: DUI70.dll.6.dr Static PE information: section name: .hzrd
Source: DUI70.dll.6.dr Static PE information: section name: .qzu
Source: DUI70.dll.6.dr Static PE information: section name: .tbbd
Source: DUI70.dll.6.dr Static PE information: section name: .shoovi
Source: DUI70.dll.6.dr Static PE information: section name: .wbmgl
Source: DUI70.dll.6.dr Static PE information: section name: .aobcn
Source: DUI70.dll.6.dr Static PE information: section name: .xdno
Source: DUI70.dll.6.dr Static PE information: section name: .ipsw
Source: DUI70.dll.6.dr Static PE information: section name: .cqpqq
Source: DUI70.dll.6.dr Static PE information: section name: .skzqoj
Source: DUI70.dll.6.dr Static PE information: section name: .nvjg
Source: DUI70.dll.6.dr Static PE information: section name: .bbt
Source: DUI70.dll.6.dr Static PE information: section name: .wsg
Source: DUI70.dll.6.dr Static PE information: section name: .vqdhza
Source: DUI70.dll.6.dr Static PE information: section name: .mgf
Source: DUI70.dll.6.dr Static PE information: section name: .xusvuv
Source: DUI70.dll.6.dr Static PE information: section name: .dwthk
Source: dpx.dll.6.dr Static PE information: section name: .qkm
Source: dpx.dll.6.dr Static PE information: section name: .cvjb
Source: dpx.dll.6.dr Static PE information: section name: .tlmkv
Source: dpx.dll.6.dr Static PE information: section name: .wucsxe
Source: dpx.dll.6.dr Static PE information: section name: .wnx
Source: dpx.dll.6.dr Static PE information: section name: .weqy
Source: dpx.dll.6.dr Static PE information: section name: .yby
Source: dpx.dll.6.dr Static PE information: section name: .ormx
Source: dpx.dll.6.dr Static PE information: section name: .dhclu
Source: dpx.dll.6.dr Static PE information: section name: .xmiul
Source: dpx.dll.6.dr Static PE information: section name: .tlwcxe
Source: dpx.dll.6.dr Static PE information: section name: .get
Source: dpx.dll.6.dr Static PE information: section name: .hzrd
Source: dpx.dll.6.dr Static PE information: section name: .qzu
Source: dpx.dll.6.dr Static PE information: section name: .tbbd
Source: dpx.dll.6.dr Static PE information: section name: .shoovi
Source: dpx.dll.6.dr Static PE information: section name: .wbmgl
Source: dpx.dll.6.dr Static PE information: section name: .aobcn
Source: dpx.dll.6.dr Static PE information: section name: .xdno
Source: dpx.dll.6.dr Static PE information: section name: .ipsw
Source: dpx.dll.6.dr Static PE information: section name: .cqpqq
Source: dpx.dll.6.dr Static PE information: section name: .skzqoj
Source: dpx.dll.6.dr Static PE information: section name: .nvjg
Source: dpx.dll.6.dr Static PE information: section name: .bbt
Source: dpx.dll.6.dr Static PE information: section name: .wsg
Source: dpx.dll.6.dr Static PE information: section name: .vqdhza
Source: dpx.dll.6.dr Static PE information: section name: .mgf
Source: dpx.dll.6.dr Static PE information: section name: .xusvuv
Source: dpx.dll.6.dr Static PE information: section name: .nxobd
Source: WINMM.dll.6.dr Static PE information: section name: .qkm
Source: WINMM.dll.6.dr Static PE information: section name: .cvjb
Source: WINMM.dll.6.dr Static PE information: section name: .tlmkv
Source: WINMM.dll.6.dr Static PE information: section name: .wucsxe
Source: WINMM.dll.6.dr Static PE information: section name: .wnx
Source: WINMM.dll.6.dr Static PE information: section name: .weqy
Source: WINMM.dll.6.dr Static PE information: section name: .yby
Source: WINMM.dll.6.dr Static PE information: section name: .ormx
Source: WINMM.dll.6.dr Static PE information: section name: .dhclu
Source: WINMM.dll.6.dr Static PE information: section name: .xmiul
Source: WINMM.dll.6.dr Static PE information: section name: .tlwcxe
Source: WINMM.dll.6.dr Static PE information: section name: .get
Source: WINMM.dll.6.dr Static PE information: section name: .hzrd
Source: WINMM.dll.6.dr Static PE information: section name: .qzu
Source: WINMM.dll.6.dr Static PE information: section name: .tbbd
Source: WINMM.dll.6.dr Static PE information: section name: .shoovi
Source: WINMM.dll.6.dr Static PE information: section name: .wbmgl
Source: WINMM.dll.6.dr Static PE information: section name: .aobcn
Source: WINMM.dll.6.dr Static PE information: section name: .xdno
Source: WINMM.dll.6.dr Static PE information: section name: .ipsw
Source: WINMM.dll.6.dr Static PE information: section name: .cqpqq
Source: WINMM.dll.6.dr Static PE information: section name: .skzqoj
Source: WINMM.dll.6.dr Static PE information: section name: .nvjg
Source: WINMM.dll.6.dr Static PE information: section name: .bbt
Source: WINMM.dll.6.dr Static PE information: section name: .wsg
Source: WINMM.dll.6.dr Static PE information: section name: .vqdhza
Source: WINMM.dll.6.dr Static PE information: section name: .mgf
Source: WINMM.dll.6.dr Static PE information: section name: .xusvuv
Source: WINMM.dll.6.dr Static PE information: section name: .kdulth
Source: DUI70.dll0.6.dr Static PE information: section name: .qkm
Source: DUI70.dll0.6.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.6.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.6.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.6.dr Static PE information: section name: .wnx
Source: DUI70.dll0.6.dr Static PE information: section name: .weqy
Source: DUI70.dll0.6.dr Static PE information: section name: .yby
Source: DUI70.dll0.6.dr Static PE information: section name: .ormx
Source: DUI70.dll0.6.dr Static PE information: section name: .dhclu
Source: DUI70.dll0.6.dr Static PE information: section name: .xmiul
Source: DUI70.dll0.6.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll0.6.dr Static PE information: section name: .get
Source: DUI70.dll0.6.dr Static PE information: section name: .hzrd
Source: DUI70.dll0.6.dr Static PE information: section name: .qzu
Source: DUI70.dll0.6.dr Static PE information: section name: .tbbd
Source: DUI70.dll0.6.dr Static PE information: section name: .shoovi
Source: DUI70.dll0.6.dr Static PE information: section name: .wbmgl
Source: DUI70.dll0.6.dr Static PE information: section name: .aobcn
Source: DUI70.dll0.6.dr Static PE information: section name: .xdno
Source: DUI70.dll0.6.dr Static PE information: section name: .ipsw
Source: DUI70.dll0.6.dr Static PE information: section name: .cqpqq
Source: DUI70.dll0.6.dr Static PE information: section name: .skzqoj
Source: DUI70.dll0.6.dr Static PE information: section name: .nvjg
Source: DUI70.dll0.6.dr Static PE information: section name: .bbt
Source: DUI70.dll0.6.dr Static PE information: section name: .wsg
Source: DUI70.dll0.6.dr Static PE information: section name: .vqdhza
Source: DUI70.dll0.6.dr Static PE information: section name: .mgf
Source: DUI70.dll0.6.dr Static PE information: section name: .xusvuv
Source: DUI70.dll0.6.dr Static PE information: section name: .dua
Source: DUser.dll.6.dr Static PE information: section name: .qkm
Source: DUser.dll.6.dr Static PE information: section name: .cvjb
Source: DUser.dll.6.dr Static PE information: section name: .tlmkv
Source: DUser.dll.6.dr Static PE information: section name: .wucsxe
Source: DUser.dll.6.dr Static PE information: section name: .wnx
Source: DUser.dll.6.dr Static PE information: section name: .weqy
Source: DUser.dll.6.dr Static PE information: section name: .yby
Source: DUser.dll.6.dr Static PE information: section name: .ormx
Source: DUser.dll.6.dr Static PE information: section name: .dhclu
Source: DUser.dll.6.dr Static PE information: section name: .xmiul
Source: DUser.dll.6.dr Static PE information: section name: .tlwcxe
Source: DUser.dll.6.dr Static PE information: section name: .get
Source: DUser.dll.6.dr Static PE information: section name: .hzrd
Source: DUser.dll.6.dr Static PE information: section name: .qzu
Source: DUser.dll.6.dr Static PE information: section name: .tbbd
Source: DUser.dll.6.dr Static PE information: section name: .shoovi
Source: DUser.dll.6.dr Static PE information: section name: .wbmgl
Source: DUser.dll.6.dr Static PE information: section name: .aobcn
Source: DUser.dll.6.dr Static PE information: section name: .xdno
Source: DUser.dll.6.dr Static PE information: section name: .ipsw
Source: DUser.dll.6.dr Static PE information: section name: .cqpqq
Source: DUser.dll.6.dr Static PE information: section name: .skzqoj
Source: DUser.dll.6.dr Static PE information: section name: .nvjg
Source: DUser.dll.6.dr Static PE information: section name: .bbt
Source: DUser.dll.6.dr Static PE information: section name: .wsg
Source: DUser.dll.6.dr Static PE information: section name: .vqdhza
Source: DUser.dll.6.dr Static PE information: section name: .mgf
Source: DUser.dll.6.dr Static PE information: section name: .xusvuv
Source: DUser.dll.6.dr Static PE information: section name: .xpfa
Source: MFC42u.dll.6.dr Static PE information: section name: .qkm
Source: MFC42u.dll.6.dr Static PE information: section name: .cvjb
Source: MFC42u.dll.6.dr Static PE information: section name: .tlmkv
Source: MFC42u.dll.6.dr Static PE information: section name: .wucsxe
Source: MFC42u.dll.6.dr Static PE information: section name: .wnx
Source: MFC42u.dll.6.dr Static PE information: section name: .weqy
Source: MFC42u.dll.6.dr Static PE information: section name: .yby
Source: MFC42u.dll.6.dr Static PE information: section name: .ormx
Source: MFC42u.dll.6.dr Static PE information: section name: .dhclu
Source: MFC42u.dll.6.dr Static PE information: section name: .xmiul
Source: MFC42u.dll.6.dr Static PE information: section name: .tlwcxe
Source: MFC42u.dll.6.dr Static PE information: section name: .get
Source: MFC42u.dll.6.dr Static PE information: section name: .hzrd
Source: MFC42u.dll.6.dr Static PE information: section name: .qzu
Source: MFC42u.dll.6.dr Static PE information: section name: .tbbd
Source: MFC42u.dll.6.dr Static PE information: section name: .shoovi
Source: MFC42u.dll.6.dr Static PE information: section name: .wbmgl
Source: MFC42u.dll.6.dr Static PE information: section name: .aobcn
Source: MFC42u.dll.6.dr Static PE information: section name: .xdno
Source: MFC42u.dll.6.dr Static PE information: section name: .ipsw
Source: MFC42u.dll.6.dr Static PE information: section name: .cqpqq
Source: MFC42u.dll.6.dr Static PE information: section name: .skzqoj
Source: MFC42u.dll.6.dr Static PE information: section name: .nvjg
Source: MFC42u.dll.6.dr Static PE information: section name: .bbt
Source: MFC42u.dll.6.dr Static PE information: section name: .wsg
Source: MFC42u.dll.6.dr Static PE information: section name: .vqdhza
Source: MFC42u.dll.6.dr Static PE information: section name: .mgf
Source: MFC42u.dll.6.dr Static PE information: section name: .xusvuv
Source: MFC42u.dll.6.dr Static PE information: section name: .wuijw
Source: SYSDM.CPL.6.dr Static PE information: section name: .qkm
Source: SYSDM.CPL.6.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL.6.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL.6.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL.6.dr Static PE information: section name: .wnx
Source: SYSDM.CPL.6.dr Static PE information: section name: .weqy
Source: SYSDM.CPL.6.dr Static PE information: section name: .yby
Source: SYSDM.CPL.6.dr Static PE information: section name: .ormx
Source: SYSDM.CPL.6.dr Static PE information: section name: .dhclu
Source: SYSDM.CPL.6.dr Static PE information: section name: .xmiul
Source: SYSDM.CPL.6.dr Static PE information: section name: .tlwcxe
Source: SYSDM.CPL.6.dr Static PE information: section name: .get
Source: SYSDM.CPL.6.dr Static PE information: section name: .hzrd
Source: SYSDM.CPL.6.dr Static PE information: section name: .qzu
Source: SYSDM.CPL.6.dr Static PE information: section name: .tbbd
Source: SYSDM.CPL.6.dr Static PE information: section name: .shoovi
Source: SYSDM.CPL.6.dr Static PE information: section name: .wbmgl
Source: SYSDM.CPL.6.dr Static PE information: section name: .aobcn
Source: SYSDM.CPL.6.dr Static PE information: section name: .xdno
Source: SYSDM.CPL.6.dr Static PE information: section name: .ipsw
Source: SYSDM.CPL.6.dr Static PE information: section name: .cqpqq
Source: SYSDM.CPL.6.dr Static PE information: section name: .skzqoj
Source: SYSDM.CPL.6.dr Static PE information: section name: .nvjg
Source: SYSDM.CPL.6.dr Static PE information: section name: .bbt
Source: SYSDM.CPL.6.dr Static PE information: section name: .wsg
Source: SYSDM.CPL.6.dr Static PE information: section name: .vqdhza
Source: SYSDM.CPL.6.dr Static PE information: section name: .mgf
Source: SYSDM.CPL.6.dr Static PE information: section name: .xusvuv
Source: SYSDM.CPL.6.dr Static PE information: section name: .vmsby
Source: MFPlat.DLL.6.dr Static PE information: section name: .qkm
Source: MFPlat.DLL.6.dr Static PE information: section name: .cvjb
Source: MFPlat.DLL.6.dr Static PE information: section name: .tlmkv
Source: MFPlat.DLL.6.dr Static PE information: section name: .wucsxe
Source: MFPlat.DLL.6.dr Static PE information: section name: .wnx
Source: MFPlat.DLL.6.dr Static PE information: section name: .weqy
Source: MFPlat.DLL.6.dr Static PE information: section name: .yby
Source: MFPlat.DLL.6.dr Static PE information: section name: .ormx
Source: MFPlat.DLL.6.dr Static PE information: section name: .dhclu
Source: MFPlat.DLL.6.dr Static PE information: section name: .xmiul
Source: MFPlat.DLL.6.dr Static PE information: section name: .tlwcxe
Source: MFPlat.DLL.6.dr Static PE information: section name: .get
Source: MFPlat.DLL.6.dr Static PE information: section name: .hzrd
Source: MFPlat.DLL.6.dr Static PE information: section name: .qzu
Source: MFPlat.DLL.6.dr Static PE information: section name: .tbbd
Source: MFPlat.DLL.6.dr Static PE information: section name: .shoovi
Source: MFPlat.DLL.6.dr Static PE information: section name: .wbmgl
Source: MFPlat.DLL.6.dr Static PE information: section name: .aobcn
Source: MFPlat.DLL.6.dr Static PE information: section name: .xdno
Source: MFPlat.DLL.6.dr Static PE information: section name: .ipsw
Source: MFPlat.DLL.6.dr Static PE information: section name: .cqpqq
Source: MFPlat.DLL.6.dr Static PE information: section name: .skzqoj
Source: MFPlat.DLL.6.dr Static PE information: section name: .nvjg
Source: MFPlat.DLL.6.dr Static PE information: section name: .bbt
Source: MFPlat.DLL.6.dr Static PE information: section name: .wsg
Source: MFPlat.DLL.6.dr Static PE information: section name: .vqdhza
Source: MFPlat.DLL.6.dr Static PE information: section name: .mgf
Source: MFPlat.DLL.6.dr Static PE information: section name: .xusvuv
Source: MFPlat.DLL.6.dr Static PE information: section name: .pod
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5E1C0 LoadLibraryW,GetProcAddress,SetLastError,GetProcessHeap,HeapFree,FreeLibrary, 34_2_00007FF75CA5E1C0
PE file contains an invalid checksum
Source: DUI70.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17e0d3
Source: DUI70.dll0.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x175312
Source: MFPlat.DLL.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13a28e
Source: WINSTA.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x130e59
Source: P7n0h6OhYp.dll Static PE information: real checksum: 0x7d786c40 should be: 0x12bd58
Source: dxgi.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x12efaf
Source: WINMM.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x136255
Source: SYSDM.CPL.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x130324
Source: UxTheme.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x139326
Source: DUser.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13a09a
Source: dpx.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13493d
Source: MFC42u.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x134998
Binary contains a suspicious time stamp
Source: RdpSa.exe.6.dr Static PE information: 0xF201B8C4 [Sat Aug 30 01:05:08 2098 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\tiy3x\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\aDD0Ov\dxgi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ocY6\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pEPyA\mfpmp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NNw\DUser.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\A7mgbJ\dpx.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ocY6\Narrator.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\j3KBEEMS\irftp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dll Jump to dropped file
Contains functionality to create restore points
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5E024 LoadLibraryExW,GetProcAddress,GetProcessHeap,HeapAlloc,SetLastError,LoadStringW,SetLastError,SetLastError,GetProcessHeap,HeapFree,FreeLibrary, 34_2_00007FF75CA5E024

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AC540 GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetLastError,ShowWindow,IsIconic,GetWindowRect,CoCreateInstance,GetProcAddress,ShellExecuteW,PostQuitMessage,PostMessageW, 37_2_00007FF69A2AC540
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA2B248 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,FreeLibrary,memset,memcpy,memset,GetLastError,memset,GetLastError,GetLastError,memset,GetLastError,GetLastError,memset,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap, 34_2_00007FF75CA2B248
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4416 Thread sleep count: 44 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLL Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\ocY6\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\pEPyA\mfpmp.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\j3KBEEMS\irftp.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dll Jump to dropped file
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5D288 GetLocalTime followed by cmp: cmp dx, 0018h and CTI: jbe 00007FF75CA5D3C8h 34_2_00007FF75CA5D288
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA2B248 rdtsc 34_2_00007FF75CA2B248
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 GetSystemInfo, 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5FC24 SetLastError,malloc,PathCchCombine,FindFirstFileW,GetLastError,free,malloc,PathCchCombine,DeleteFileW,FindNextFileW,RemoveDirectoryW,free,FindClose, 34_2_00007FF75CA5FC24
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA65828 memset,PathCchCombine,memset,FindFirstFileW,PathCchCombine,PathFindExtensionW,_wcsicmp,_wcsicmp,_wcsicmp,PathCchCombine,free,free,free,free,FindNextFileW,FindClose, 34_2_00007FF75CA65828
Source: explorer.exe, 00000006.00000000.250299245.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.292788687.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.256548846.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.251030851.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.256548846.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC56914 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF64DC56914
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C72D0 GetLastError,_vsnprintf,OutputDebugStringA,SetLastError, 41_2_00007FF7635C72D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5E1C0 LoadLibraryW,GetProcAddress,SetLastError,GetProcessHeap,HeapFree,FreeLibrary, 34_2_00007FF75CA5E1C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B1124 SysFreeString,GetProcessHeap,HeapFree, 21_2_00007FF73A1B1124
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA2B248 rdtsc 34_2_00007FF75CA2B248
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose, 1_2_0000000140048AC0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A35AED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput, 26_2_00007FF7A35AED00
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B7330 SetUnhandledExceptionFilter, 21_2_00007FF73A1B7330
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B75B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00007FF73A1B75B4
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC56914 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF64DC56914
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC56F00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00007FF64DC56F00
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Code function: 24_2_00007FF64DC570A0 SetUnhandledExceptionFilter, 24_2_00007FF64DC570A0
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF7A361B284
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361BF20 SetUnhandledExceptionFilter, 26_2_00007FF7A361BF20
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A361BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00007FF7A361BD44
Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Code function: 30_2_00007FF6C5E64694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF6C5E64694
Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Code function: 30_2_00007FF6C5E64360 SetUnhandledExceptionFilter, 30_2_00007FF6C5E64360
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA90028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_00007FF75CA90028
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA90640 SetUnhandledExceptionFilter, 34_2_00007FF75CA90640
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2C3B8C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_00007FF69A2C3B8C
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2C3D68 SetUnhandledExceptionFilter, 37_2_00007FF69A2C3D68
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2C35E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_00007FF69A2C35E4
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Code function: 39_2_00007FF639958450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_00007FF639958450
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Code function: 39_2_00007FF639958750 SetUnhandledExceptionFilter, 39_2_00007FF639958750
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C7E80 SetUnhandledExceptionFilter, 41_2_00007FF7635C7E80
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Code function: 41_2_00007FF7635C7AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_00007FF7635C7AA4

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: WINSTA.dll.6.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3618CAC mouse_event,SetForegroundWindow, 26_2_00007FF7A3618CAC
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5C290 memset,memset,memset,memset,memset,memset,memset,memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,GetLastError,GetLastError, 34_2_00007FF75CA5C290
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: 26_2_00007FF7A3616418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle, 26_2_00007FF7A3616418
Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.264233925.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 26_2_00007FF7A360A840
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 26_2_00007FF7A3600A3C
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 26_2_00007FF7A360CE28
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize, 26_2_00007FF7A35A72C8
Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx, 26_2_00007FF7A3586068
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: GetSystemDefaultUILanguage,GetLocaleInfoW, 34_2_00007FF75CA5BFCC
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,free,_CxxThrowException,_CxxThrowException, 34_2_00007FF75CA26FB4
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B74C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 21_2_00007FF73A1B74C0
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5C018 memset,GetVersionExW,GetProductInfo, 34_2_00007FF75CA5C018
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B4A50 GetUserNameExW,GetLastError,GetUserNameExW,GetLastError, 21_2_00007FF73A1B4A50

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe Code function: 21_2_00007FF73A1B6AB4 memset,CreateBindCtx,StringFromCLSID,MkParseDisplayName,CoTaskMemFree, 21_2_00007FF73A1B6AB4
Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe Code function: 34_2_00007FF75CA5B6B0 SHGetDataFromIDListW,SHBindToFolderIDListParent,StrRetToStrW,PathMatchSpecExW,CoTaskMemFree, 34_2_00007FF75CA5B6B0
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2AE7C0 wcspbrk,#4,#6,#4,#6,#4,#6,#6,#6,GetKeyboardLayout,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,#6,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,#6,#6,#2,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,SendMessageW,SendMessageW,memset,LoadStringW,SendMessageW,LoadStringW,SendMessageW,#8,#9,CoCreateInstance,AccSetRunningUtilityState,memset,#8,#9, 37_2_00007FF69A2AE7C0
Source: C:\Users\user\AppData\Local\ocY6\Narrator.exe Code function: 37_2_00007FF69A2ADDC8 AccSetRunningUtilityState,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?SyncDestroyWindow@NativeHWNDHost@DirectUI@@QEAAXXZ, 37_2_00007FF69A2ADDC8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492431 Sample: P7n0h6OhYp Startdate: 28/09/2021 Architecture: WINDOWS Score: 92 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Dridex unpacked file 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 64 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\MFPlat.DLL, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\ocY6\WINMM.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\MFC42u.dll, PE32+ 19->37 dropped 39 19 other files (7 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 SystemSettingsRemoveDevice.exe 19->25         started        27 GamePanel.exe 19->27         started        29 dxgiadaptercache.exe 19->29         started        31 13 other processes 19->31 signatures8 process9
No contacted IP infos