Windows Analysis Report K7dGM0P0yz

Overview

General Information

Sample Name: K7dGM0P0yz (renamed file extension from none to dll)
Analysis ID: 492437
MD5: 2955d4759afce09a41c1df5b108f0287
SHA1: 11e277c3c987b4119909dd099a5f901e074698e3
SHA256: 97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to get notified if a device is plugged in / out
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: K7dGM0P0yz.dll Virustotal: Detection: 62% Perma Link
Source: K7dGM0P0yz.dll Metadefender: Detection: 65% Perma Link
Source: K7dGM0P0yz.dll ReversingLabs: Detection: 77%
Antivirus / Scanner detection for submitted sample
Source: K7dGM0P0yz.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\I0o\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Fox\dxva2.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\I0o\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\I0o\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1C2D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext, 20_2_00007FF6CE1C2D94
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose, 27_2_00007FF7B9584C10
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C8534 CryptDestroyHash,CryptReleaseContext, 37_2_00007FF66A2C8534
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C874C CryptHashData, 37_2_00007FF66A2C874C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C88F8 CryptHashData, 37_2_00007FF66A2C88F8
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C8598 CryptAcquireContextW,CryptCreateHash, 37_2_00007FF66A2C8598
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C8610 CryptGetHashParam,memset, 37_2_00007FF66A2C8610
Source: K7dGM0P0yz.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958603C GetModuleHandleExW,memset,RegisterClassW,CreateWindowExW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,UnregisterDeviceNotification,UnregisterDeviceNotification, 27_2_00007FF7B958603C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree, 27_2_00007FF7B95B2380
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException, 30_2_00007FF71B679110
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D526DA68 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject, 32_2_00007FF7D526DA68
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A3045E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task, 37_2_00007FF66A3045E0

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1020058745.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.681792937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.965505490.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.931145989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.847453673.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666466905.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.786920888.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.749176319.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.992899569.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007EA0 0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006EB0 0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400276C0 0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FEC0 0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EED0 0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B6E0 0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053F20 0_2_0000000140053F20
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636983364 16_2_00007FF636983364
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636982264 16_2_00007FF636982264
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636986640 16_2_00007FF636986640
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1D1780 20_2_00007FF6CE1D1780
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1CD87C 20_2_00007FF6CE1CD87C
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EE12C 20_2_00007FF6CE1EE12C
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1FA908 20_2_00007FF6CE1FA908
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F8E00 20_2_00007FF6CE1F8E00
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1C2EA4 20_2_00007FF6CE1C2EA4
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EE688 20_2_00007FF6CE1EE688
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EFC6C 20_2_00007FF6CE1EFC6C
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1DFCF0 20_2_00007FF6CE1DFCF0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F4CD0 20_2_00007FF6CE1F4CD0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F1978 20_2_00007FF6CE1F1978
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1FB1C0 20_2_00007FF6CE1FB1C0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F8A40 20_2_00007FF6CE1F8A40
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F7ACC 20_2_00007FF6CE1F7ACC
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F9B14 20_2_00007FF6CE1F9B14
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3778 24_2_00007FF79A6F3778
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F15EC 24_2_00007FF79A6F15EC
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F2BE8 24_2_00007FF79A6F2BE8
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F1B64 24_2_00007FF79A6F1B64
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95CBA80 27_2_00007FF7B95CBA80
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A71F4 27_2_00007FF7B95A71F4
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95889C0 27_2_00007FF7B95889C0
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95C29A8 27_2_00007FF7B95C29A8
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95CAD10 27_2_00007FF7B95CAD10
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95C24E4 27_2_00007FF7B95C24E4
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95B2380 27_2_00007FF7B95B2380
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95CD360 27_2_00007FF7B95CD360
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95AC3AC 27_2_00007FF7B95AC3AC
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95856C4 27_2_00007FF7B95856C4
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9583ED0 27_2_00007FF7B9583ED0
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A6DAC 27_2_00007FF7B95A6DAC
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9597070 27_2_00007FF7B9597070
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958603C 27_2_00007FF7B958603C
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95BA018 27_2_00007FF7B95BA018
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9589F78 27_2_00007FF7B9589F78
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A5F68 27_2_00007FF7B95A5F68
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95C473C 27_2_00007FF7B95C473C
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B65CC30 30_2_00007FF71B65CC30
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6CACE8 30_2_00007FF71B6CACE8
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6DDBA4 30_2_00007FF71B6DDBA4
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B68A974 30_2_00007FF71B68A974
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6829F4 30_2_00007FF71B6829F4
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6D29E0 30_2_00007FF71B6D29E0
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B679110 30_2_00007FF71B679110
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B64E0F4 30_2_00007FF71B64E0F4
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6CA014 30_2_00007FF71B6CA014
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6AEE7C 30_2_00007FF71B6AEE7C
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B681E34 30_2_00007FF71B681E34
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6E8F04 30_2_00007FF71B6E8F04
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B664EF0 30_2_00007FF71B664EF0
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B65BEE4 30_2_00007FF71B65BEE4
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6CA450 30_2_00007FF71B6CA450
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B65E444 30_2_00007FF71B65E444
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B678500 30_2_00007FF71B678500
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6454E0 30_2_00007FF71B6454E0
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6764D0 30_2_00007FF71B6764D0
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6504AC 30_2_00007FF71B6504AC
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B690498 30_2_00007FF71B690498
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6AC278 30_2_00007FF71B6AC278
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B696158 30_2_00007FF71B696158
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B69115E 30_2_00007FF71B69115E
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B68B12C 30_2_00007FF71B68B12C
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6DE834 30_2_00007FF71B6DE834
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6AD6FC 30_2_00007FF71B6AD6FC
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6896D8 30_2_00007FF71B6896D8
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B65858C 30_2_00007FF71B65858C
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B677580 30_2_00007FF71B677580
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D526124C 32_2_00007FF7D526124C
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D5262C3C 32_2_00007FF7D5262C3C
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D526DA68 32_2_00007FF7D526DA68
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D52680F0 32_2_00007FF7D52680F0
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D5262384 32_2_00007FF7D5262384
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D52635C4 32_2_00007FF7D52635C4
Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Code function: 34_2_00007FF6312D1F08 34_2_00007FF6312D1F08
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2F0C44 37_2_00007FF66A2F0C44
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A284CDC 37_2_00007FF66A284CDC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A29ED00 37_2_00007FF66A29ED00
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CCCFC 37_2_00007FF66A2CCCFC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2B6948 37_2_00007FF66A2B6948
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FA998 37_2_00007FF66A2FA998
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C89F4 37_2_00007FF66A2C89F4
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CAFF0 37_2_00007FF66A2CAFF0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FD010 37_2_00007FF66A2FD010
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2EB124 37_2_00007FF66A2EB124
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2EED90 37_2_00007FF66A2EED90
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2E4DD0 37_2_00007FF66A2E4DD0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FEE40 37_2_00007FF66A2FEE40
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2B8F14 37_2_00007FF66A2B8F14
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2943B8 37_2_00007FF66A2943B8
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2E21AC 37_2_00007FF66A2E21AC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2A21AC 37_2_00007FF66A2A21AC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2E4198 37_2_00007FF66A2E4198
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A28E224 37_2_00007FF66A28E224
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2AA250 37_2_00007FF66A2AA250
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2EC2D8 37_2_00007FF66A2EC2D8
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A26A7EC 37_2_00007FF66A26A7EC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A3147E5 37_2_00007FF66A3147E5
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A26E7FC 37_2_00007FF66A26E7FC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A279AF0 37_2_00007FF66A279AF0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C48C0 37_2_00007FF66A2C48C0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A29E560 37_2_00007FF66A29E560
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2B253C 37_2_00007FF66A2B253C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A3045E0 37_2_00007FF66A3045E0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CA5D0 37_2_00007FF66A2CA5D0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2C0620 37_2_00007FF66A2C0620
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2D0644 37_2_00007FF66A2D0644
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A300728 37_2_00007FF66A300728
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30DB6C 37_2_00007FF66A30DB6C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A29DC44 37_2_00007FF66A29DC44
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30FC59 37_2_00007FF66A30FC59
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2EBD14 37_2_00007FF66A2EBD14
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2F7A20 37_2_00007FF66A2F7A20
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2D7A00 37_2_00007FF66A2D7A00
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2D1AD4 37_2_00007FF66A2D1AD4
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FBF88 37_2_00007FF66A2FBF88
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30BFEC 37_2_00007FF66A30BFEC
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A26A058 37_2_00007FF66A26A058
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A263D38 37_2_00007FF66A263D38
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CBE58 37_2_00007FF66A2CBE58
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2D5F08 37_2_00007FF66A2D5F08
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2F137C 37_2_00007FF66A2F137C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A307460 37_2_00007FF66A307460
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CB454 37_2_00007FF66A2CB454
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2B9484 37_2_00007FF66A2B9484
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FB14C 37_2_00007FF66A2FB14C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2F5190 37_2_00007FF66A2F5190
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2DB26C 37_2_00007FF66A2DB26C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A293260 37_2_00007FF66A293260
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2972C8 37_2_00007FF66A2972C8
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30D7A2 37_2_00007FF66A30D7A2
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2FD788 37_2_00007FF66A2FD788
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A26B928 37_2_00007FF66A26B928
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2EF920 37_2_00007FF66A2EF920
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2CD6B0 37_2_00007FF66A2CD6B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: String function: 00007FF66A264D68 appears 192 times
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: String function: 00007FF66A2762E4 appears 62 times
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: String function: 00007FF66A266894 appears 49 times
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: String function: 00007FF66A306AD8 appears 230 times
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: String function: 00007FF66A2632F8 appears 394 times
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: String function: 00007FF71B6459E0 appears 153 times
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: String function: 00007FF71B685CE8 appears 64 times
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: String function: 00007FF71B643F1C appears 39 times
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: String function: 00007FF71B645BC4 appears 55 times
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: String function: 00007FF636981400 appears 70 times
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: String function: 00007FF7B95867D8 appears 58 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6493A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 30_2_00007FF71B6493A8
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle, 20_2_00007FF6CE1E9590
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F2E0C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,LocalAlloc,GetLastError,LocalFree,RtlNtStatusToDosError,RtlCompareUnicodeString, 24_2_00007FF79A6F2E0C
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F2F58 memset,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle, 24_2_00007FF79A6F2F58
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose, 27_2_00007FF7B9584C10
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9584E58 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,memset,memcpy_s,CloseHandle, 27_2_00007FF7B9584E58
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95848B8 memset,QueryDosDeviceW,RtlInitUnicodeString,NtCreateFile,NtClose,DefineDosDeviceW,GetLastError, 27_2_00007FF7B95848B8
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A2D6C44 RtlInitUnicodeString,NtQueryLicenseValue, 37_2_00007FF66A2D6C44
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 37_2_00007FF66A30A9CC
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B9584C10: RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose, 27_2_00007FF7B9584C10
PE file contains executable resources (Code or Archives)
Source: RdpSaUacHelper.exe.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: bdechangepin.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dccw.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: osk.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: osk.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: osk.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: dwmapi.dll1.5.dr Static PE information: Number of sections : 37 > 10
Source: K7dGM0P0yz.dll Static PE information: Number of sections : 36 > 10
Source: DUI70.dll.5.dr Static PE information: Number of sections : 37 > 10
Source: WINSTA.dll.5.dr Static PE information: Number of sections : 37 > 10
Source: VERSION.dll1.5.dr Static PE information: Number of sections : 37 > 10
Source: DUI70.dll1.5.dr Static PE information: Number of sections : 37 > 10
Source: dwmapi.dll0.5.dr Static PE information: Number of sections : 37 > 10
Source: dxva2.dll.5.dr Static PE information: Number of sections : 37 > 10
Source: VERSION.dll0.5.dr Static PE information: Number of sections : 37 > 10
Source: dwmapi.dll.5.dr Static PE information: Number of sections : 37 > 10
Source: DUI70.dll2.5.dr Static PE information: Number of sections : 37 > 10
Source: DUI70.dll0.5.dr Static PE information: Number of sections : 37 > 10
Source: VERSION.dll.5.dr Static PE information: Number of sections : 37 > 10
Source: K7dGM0P0yz.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dxva2.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll2.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: K7dGM0P0yz.dll Virustotal: Detection: 62%
Source: K7dGM0P0yz.dll Metadefender: Detection: 65%
Source: K7dGM0P0yz.dll ReversingLabs: Detection: 77%
Source: K7dGM0P0yz.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B65943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError, 30_2_00007FF71B65943C
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@54/25@0/0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1D2FB4 CoCreateInstance,RtlPublishWnfStateData,RtlPublishWnfStateData,RtlPublishWnfStateData, 20_2_00007FF6CE1D2FB4
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636983364 InitializeCriticalSection,GetCommandLineW,CommandLineToArgvW,GetLastError,iswalpha,towupper,EnterCriticalSection,FormatMessageW,GetModuleHandleW,#344,LeaveCriticalSection,LeaveCriticalSection,CoInitialize,InitProcessPriv,InitThread,FormatMessageW,GetLastError,CreateMutexW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,LocalFree,LocalFree,UnInitThread,UnInitProcessPriv,CoUninitialize,CloseHandle,DeleteCriticalSection,GetSystemMetrics,GetSystemMetrics,GetModuleHandleW,LoadImageW,?Create@NativeHWNDHost@DirectUI@@SAJPEBGPEAUHWND__@@PEAUHICON__@@HHHHHHIPEAPEAV12@@Z,EnterCriticalSection,LeaveCriticalSection,?EndDefer@Element@DirectUI@@QEAAXK@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z,?ShowWindow@NativeHWNDHost@DirectUI@@QEAAXH@Z,StartMessagePump, 16_2_00007FF636983364
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B64345C StartServiceCtrlDispatcherW,GetLastError, 30_2_00007FF71B64345C
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 24_2_00007FF79A6F3464
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Mutant created: \Sessions\1\BaseNamedObjects\{832029fd-8b48-c9e2-536d-2d493fe88741}
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Mutant created: \Sessions\1\BaseNamedObjects\{bcabdb27-9189-fb60-e76f-c1e63267ec97}
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D52635C4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,memset,GetModuleFileNameW,GetModuleHandleW,EnterCriticalSection,memcpy_s,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection, 32_2_00007FF7D52635C4
Source: rdpinit.exe String found in binary or memory: Re-Start RdpShell failed
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: K7dGM0P0yz.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: K7dGM0P0yz.dll Static file information: File size 1224704 > 1048576
Source: K7dGM0P0yz.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1D4162 push rcx; ret 20_2_00007FF6CE1D4163
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958CD52 push rcx; ret 27_2_00007FF7B958CD53
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B68FF70 pushfq ; retf 30_2_00007FF71B68FF71
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6884C0 push rsp; retf 30_2_00007FF71B6884C1
PE file contains sections with non-standard names
Source: K7dGM0P0yz.dll Static PE information: section name: .qkm
Source: K7dGM0P0yz.dll Static PE information: section name: .cvjb
Source: K7dGM0P0yz.dll Static PE information: section name: .tlmkv
Source: K7dGM0P0yz.dll Static PE information: section name: .wucsxe
Source: K7dGM0P0yz.dll Static PE information: section name: .wnx
Source: K7dGM0P0yz.dll Static PE information: section name: .weqy
Source: K7dGM0P0yz.dll Static PE information: section name: .yby
Source: K7dGM0P0yz.dll Static PE information: section name: .ormx
Source: K7dGM0P0yz.dll Static PE information: section name: .dhclu
Source: K7dGM0P0yz.dll Static PE information: section name: .xmiul
Source: K7dGM0P0yz.dll Static PE information: section name: .tlwcxe
Source: K7dGM0P0yz.dll Static PE information: section name: .get
Source: K7dGM0P0yz.dll Static PE information: section name: .hzrd
Source: K7dGM0P0yz.dll Static PE information: section name: .qzu
Source: K7dGM0P0yz.dll Static PE information: section name: .nhglos
Source: K7dGM0P0yz.dll Static PE information: section name: .itzo
Source: K7dGM0P0yz.dll Static PE information: section name: .nmsaom
Source: K7dGM0P0yz.dll Static PE information: section name: .mas
Source: K7dGM0P0yz.dll Static PE information: section name: .ldov
Source: K7dGM0P0yz.dll Static PE information: section name: .bwslm
Source: K7dGM0P0yz.dll Static PE information: section name: .gfceb
Source: K7dGM0P0yz.dll Static PE information: section name: .nojmwb
Source: K7dGM0P0yz.dll Static PE information: section name: .naznun
Source: K7dGM0P0yz.dll Static PE information: section name: .iyfv
Source: K7dGM0P0yz.dll Static PE information: section name: .iqae
Source: K7dGM0P0yz.dll Static PE information: section name: .zco
Source: K7dGM0P0yz.dll Static PE information: section name: .kqpcjh
Source: K7dGM0P0yz.dll Static PE information: section name: .unbzj
Source: K7dGM0P0yz.dll Static PE information: section name: .tcuit
Source: K7dGM0P0yz.dll Static PE information: section name: .sow
Source: rdpinit.exe.5.dr Static PE information: section name: .imrsiv
Source: wlrmdr.exe.5.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.5.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.5.dr Static PE information: section name: .didat
Source: systemreset.exe.5.dr Static PE information: section name: .imrsiv
Source: DUI70.dll.5.dr Static PE information: section name: .qkm
Source: DUI70.dll.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr Static PE information: section name: .wnx
Source: DUI70.dll.5.dr Static PE information: section name: .weqy
Source: DUI70.dll.5.dr Static PE information: section name: .yby
Source: DUI70.dll.5.dr Static PE information: section name: .ormx
Source: DUI70.dll.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll.5.dr Static PE information: section name: .get
Source: DUI70.dll.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll.5.dr Static PE information: section name: .qzu
Source: DUI70.dll.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll.5.dr Static PE information: section name: .itzo
Source: DUI70.dll.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll.5.dr Static PE information: section name: .mas
Source: DUI70.dll.5.dr Static PE information: section name: .ldov
Source: DUI70.dll.5.dr Static PE information: section name: .bwslm
Source: DUI70.dll.5.dr Static PE information: section name: .gfceb
Source: DUI70.dll.5.dr Static PE information: section name: .nojmwb
Source: DUI70.dll.5.dr Static PE information: section name: .naznun
Source: DUI70.dll.5.dr Static PE information: section name: .iyfv
Source: DUI70.dll.5.dr Static PE information: section name: .iqae
Source: DUI70.dll.5.dr Static PE information: section name: .zco
Source: DUI70.dll.5.dr Static PE information: section name: .kqpcjh
Source: DUI70.dll.5.dr Static PE information: section name: .unbzj
Source: DUI70.dll.5.dr Static PE information: section name: .tcuit
Source: DUI70.dll.5.dr Static PE information: section name: .sow
Source: DUI70.dll.5.dr Static PE information: section name: .njy
Source: dwmapi.dll.5.dr Static PE information: section name: .qkm
Source: dwmapi.dll.5.dr Static PE information: section name: .cvjb
Source: dwmapi.dll.5.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll.5.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll.5.dr Static PE information: section name: .wnx
Source: dwmapi.dll.5.dr Static PE information: section name: .weqy
Source: dwmapi.dll.5.dr Static PE information: section name: .yby
Source: dwmapi.dll.5.dr Static PE information: section name: .ormx
Source: dwmapi.dll.5.dr Static PE information: section name: .dhclu
Source: dwmapi.dll.5.dr Static PE information: section name: .xmiul
Source: dwmapi.dll.5.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll.5.dr Static PE information: section name: .get
Source: dwmapi.dll.5.dr Static PE information: section name: .hzrd
Source: dwmapi.dll.5.dr Static PE information: section name: .qzu
Source: dwmapi.dll.5.dr Static PE information: section name: .nhglos
Source: dwmapi.dll.5.dr Static PE information: section name: .itzo
Source: dwmapi.dll.5.dr Static PE information: section name: .nmsaom
Source: dwmapi.dll.5.dr Static PE information: section name: .mas
Source: dwmapi.dll.5.dr Static PE information: section name: .ldov
Source: dwmapi.dll.5.dr Static PE information: section name: .bwslm
Source: dwmapi.dll.5.dr Static PE information: section name: .gfceb
Source: dwmapi.dll.5.dr Static PE information: section name: .nojmwb
Source: dwmapi.dll.5.dr Static PE information: section name: .naznun
Source: dwmapi.dll.5.dr Static PE information: section name: .iyfv
Source: dwmapi.dll.5.dr Static PE information: section name: .iqae
Source: dwmapi.dll.5.dr Static PE information: section name: .zco
Source: dwmapi.dll.5.dr Static PE information: section name: .kqpcjh
Source: dwmapi.dll.5.dr Static PE information: section name: .unbzj
Source: dwmapi.dll.5.dr Static PE information: section name: .tcuit
Source: dwmapi.dll.5.dr Static PE information: section name: .sow
Source: dwmapi.dll.5.dr Static PE information: section name: .wsh
Source: DUI70.dll0.5.dr Static PE information: section name: .qkm
Source: DUI70.dll0.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.5.dr Static PE information: section name: .wnx
Source: DUI70.dll0.5.dr Static PE information: section name: .weqy
Source: DUI70.dll0.5.dr Static PE information: section name: .yby
Source: DUI70.dll0.5.dr Static PE information: section name: .ormx
Source: DUI70.dll0.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll0.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll0.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll0.5.dr Static PE information: section name: .get
Source: DUI70.dll0.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll0.5.dr Static PE information: section name: .qzu
Source: DUI70.dll0.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll0.5.dr Static PE information: section name: .itzo
Source: DUI70.dll0.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll0.5.dr Static PE information: section name: .mas
Source: DUI70.dll0.5.dr Static PE information: section name: .ldov
Source: DUI70.dll0.5.dr Static PE information: section name: .bwslm
Source: DUI70.dll0.5.dr Static PE information: section name: .gfceb
Source: DUI70.dll0.5.dr Static PE information: section name: .nojmwb
Source: DUI70.dll0.5.dr Static PE information: section name: .naznun
Source: DUI70.dll0.5.dr Static PE information: section name: .iyfv
Source: DUI70.dll0.5.dr Static PE information: section name: .iqae
Source: DUI70.dll0.5.dr Static PE information: section name: .zco
Source: DUI70.dll0.5.dr Static PE information: section name: .kqpcjh
Source: DUI70.dll0.5.dr Static PE information: section name: .unbzj
Source: DUI70.dll0.5.dr Static PE information: section name: .tcuit
Source: DUI70.dll0.5.dr Static PE information: section name: .sow
Source: DUI70.dll0.5.dr Static PE information: section name: .jzccua
Source: dwmapi.dll0.5.dr Static PE information: section name: .qkm
Source: dwmapi.dll0.5.dr Static PE information: section name: .cvjb
Source: dwmapi.dll0.5.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll0.5.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll0.5.dr Static PE information: section name: .wnx
Source: dwmapi.dll0.5.dr Static PE information: section name: .weqy
Source: dwmapi.dll0.5.dr Static PE information: section name: .yby
Source: dwmapi.dll0.5.dr Static PE information: section name: .ormx
Source: dwmapi.dll0.5.dr Static PE information: section name: .dhclu
Source: dwmapi.dll0.5.dr Static PE information: section name: .xmiul
Source: dwmapi.dll0.5.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll0.5.dr Static PE information: section name: .get
Source: dwmapi.dll0.5.dr Static PE information: section name: .hzrd
Source: dwmapi.dll0.5.dr Static PE information: section name: .qzu
Source: dwmapi.dll0.5.dr Static PE information: section name: .nhglos
Source: dwmapi.dll0.5.dr Static PE information: section name: .itzo
Source: dwmapi.dll0.5.dr Static PE information: section name: .nmsaom
Source: dwmapi.dll0.5.dr Static PE information: section name: .mas
Source: dwmapi.dll0.5.dr Static PE information: section name: .ldov
Source: dwmapi.dll0.5.dr Static PE information: section name: .bwslm
Source: dwmapi.dll0.5.dr Static PE information: section name: .gfceb
Source: dwmapi.dll0.5.dr Static PE information: section name: .nojmwb
Source: dwmapi.dll0.5.dr Static PE information: section name: .naznun
Source: dwmapi.dll0.5.dr Static PE information: section name: .iyfv
Source: dwmapi.dll0.5.dr Static PE information: section name: .iqae
Source: dwmapi.dll0.5.dr Static PE information: section name: .zco
Source: dwmapi.dll0.5.dr Static PE information: section name: .kqpcjh
Source: dwmapi.dll0.5.dr Static PE information: section name: .unbzj
Source: dwmapi.dll0.5.dr Static PE information: section name: .tcuit
Source: dwmapi.dll0.5.dr Static PE information: section name: .sow
Source: dwmapi.dll0.5.dr Static PE information: section name: .lkfqq
Source: VERSION.dll.5.dr Static PE information: section name: .qkm
Source: VERSION.dll.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr Static PE information: section name: .wnx
Source: VERSION.dll.5.dr Static PE information: section name: .weqy
Source: VERSION.dll.5.dr Static PE information: section name: .yby
Source: VERSION.dll.5.dr Static PE information: section name: .ormx
Source: VERSION.dll.5.dr Static PE information: section name: .dhclu
Source: VERSION.dll.5.dr Static PE information: section name: .xmiul
Source: VERSION.dll.5.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll.5.dr Static PE information: section name: .get
Source: VERSION.dll.5.dr Static PE information: section name: .hzrd
Source: VERSION.dll.5.dr Static PE information: section name: .qzu
Source: VERSION.dll.5.dr Static PE information: section name: .nhglos
Source: VERSION.dll.5.dr Static PE information: section name: .itzo
Source: VERSION.dll.5.dr Static PE information: section name: .nmsaom
Source: VERSION.dll.5.dr Static PE information: section name: .mas
Source: VERSION.dll.5.dr Static PE information: section name: .ldov
Source: VERSION.dll.5.dr Static PE information: section name: .bwslm
Source: VERSION.dll.5.dr Static PE information: section name: .gfceb
Source: VERSION.dll.5.dr Static PE information: section name: .nojmwb
Source: VERSION.dll.5.dr Static PE information: section name: .naznun
Source: VERSION.dll.5.dr Static PE information: section name: .iyfv
Source: VERSION.dll.5.dr Static PE information: section name: .iqae
Source: VERSION.dll.5.dr Static PE information: section name: .zco
Source: VERSION.dll.5.dr Static PE information: section name: .kqpcjh
Source: VERSION.dll.5.dr Static PE information: section name: .unbzj
Source: VERSION.dll.5.dr Static PE information: section name: .tcuit
Source: VERSION.dll.5.dr Static PE information: section name: .sow
Source: VERSION.dll.5.dr Static PE information: section name: .dcm
Source: dxva2.dll.5.dr Static PE information: section name: .qkm
Source: dxva2.dll.5.dr Static PE information: section name: .cvjb
Source: dxva2.dll.5.dr Static PE information: section name: .tlmkv
Source: dxva2.dll.5.dr Static PE information: section name: .wucsxe
Source: dxva2.dll.5.dr Static PE information: section name: .wnx
Source: dxva2.dll.5.dr Static PE information: section name: .weqy
Source: dxva2.dll.5.dr Static PE information: section name: .yby
Source: dxva2.dll.5.dr Static PE information: section name: .ormx
Source: dxva2.dll.5.dr Static PE information: section name: .dhclu
Source: dxva2.dll.5.dr Static PE information: section name: .xmiul
Source: dxva2.dll.5.dr Static PE information: section name: .tlwcxe
Source: dxva2.dll.5.dr Static PE information: section name: .get
Source: dxva2.dll.5.dr Static PE information: section name: .hzrd
Source: dxva2.dll.5.dr Static PE information: section name: .qzu
Source: dxva2.dll.5.dr Static PE information: section name: .nhglos
Source: dxva2.dll.5.dr Static PE information: section name: .itzo
Source: dxva2.dll.5.dr Static PE information: section name: .nmsaom
Source: dxva2.dll.5.dr Static PE information: section name: .mas
Source: dxva2.dll.5.dr Static PE information: section name: .ldov
Source: dxva2.dll.5.dr Static PE information: section name: .bwslm
Source: dxva2.dll.5.dr Static PE information: section name: .gfceb
Source: dxva2.dll.5.dr Static PE information: section name: .nojmwb
Source: dxva2.dll.5.dr Static PE information: section name: .naznun
Source: dxva2.dll.5.dr Static PE information: section name: .iyfv
Source: dxva2.dll.5.dr Static PE information: section name: .iqae
Source: dxva2.dll.5.dr Static PE information: section name: .zco
Source: dxva2.dll.5.dr Static PE information: section name: .kqpcjh
Source: dxva2.dll.5.dr Static PE information: section name: .unbzj
Source: dxva2.dll.5.dr Static PE information: section name: .tcuit
Source: dxva2.dll.5.dr Static PE information: section name: .sow
Source: dxva2.dll.5.dr Static PE information: section name: .znragi
Source: DUI70.dll1.5.dr Static PE information: section name: .qkm
Source: DUI70.dll1.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll1.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll1.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll1.5.dr Static PE information: section name: .wnx
Source: DUI70.dll1.5.dr Static PE information: section name: .weqy
Source: DUI70.dll1.5.dr Static PE information: section name: .yby
Source: DUI70.dll1.5.dr Static PE information: section name: .ormx
Source: DUI70.dll1.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll1.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll1.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll1.5.dr Static PE information: section name: .get
Source: DUI70.dll1.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll1.5.dr Static PE information: section name: .qzu
Source: DUI70.dll1.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll1.5.dr Static PE information: section name: .itzo
Source: DUI70.dll1.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll1.5.dr Static PE information: section name: .mas
Source: DUI70.dll1.5.dr Static PE information: section name: .ldov
Source: DUI70.dll1.5.dr Static PE information: section name: .bwslm
Source: DUI70.dll1.5.dr Static PE information: section name: .gfceb
Source: DUI70.dll1.5.dr Static PE information: section name: .nojmwb
Source: DUI70.dll1.5.dr Static PE information: section name: .naznun
Source: DUI70.dll1.5.dr Static PE information: section name: .iyfv
Source: DUI70.dll1.5.dr Static PE information: section name: .iqae
Source: DUI70.dll1.5.dr Static PE information: section name: .zco
Source: DUI70.dll1.5.dr Static PE information: section name: .kqpcjh
Source: DUI70.dll1.5.dr Static PE information: section name: .unbzj
Source: DUI70.dll1.5.dr Static PE information: section name: .tcuit
Source: DUI70.dll1.5.dr Static PE information: section name: .sow
Source: DUI70.dll1.5.dr Static PE information: section name: .kdatc
Source: dwmapi.dll1.5.dr Static PE information: section name: .qkm
Source: dwmapi.dll1.5.dr Static PE information: section name: .cvjb
Source: dwmapi.dll1.5.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll1.5.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll1.5.dr Static PE information: section name: .wnx
Source: dwmapi.dll1.5.dr Static PE information: section name: .weqy
Source: dwmapi.dll1.5.dr Static PE information: section name: .yby
Source: dwmapi.dll1.5.dr Static PE information: section name: .ormx
Source: dwmapi.dll1.5.dr Static PE information: section name: .dhclu
Source: dwmapi.dll1.5.dr Static PE information: section name: .xmiul
Source: dwmapi.dll1.5.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll1.5.dr Static PE information: section name: .get
Source: dwmapi.dll1.5.dr Static PE information: section name: .hzrd
Source: dwmapi.dll1.5.dr Static PE information: section name: .qzu
Source: dwmapi.dll1.5.dr Static PE information: section name: .nhglos
Source: dwmapi.dll1.5.dr Static PE information: section name: .itzo
Source: dwmapi.dll1.5.dr Static PE information: section name: .nmsaom
Source: dwmapi.dll1.5.dr Static PE information: section name: .mas
Source: dwmapi.dll1.5.dr Static PE information: section name: .ldov
Source: dwmapi.dll1.5.dr Static PE information: section name: .bwslm
Source: dwmapi.dll1.5.dr Static PE information: section name: .gfceb
Source: dwmapi.dll1.5.dr Static PE information: section name: .nojmwb
Source: dwmapi.dll1.5.dr Static PE information: section name: .naznun
Source: dwmapi.dll1.5.dr Static PE information: section name: .iyfv
Source: dwmapi.dll1.5.dr Static PE information: section name: .iqae
Source: dwmapi.dll1.5.dr Static PE information: section name: .zco
Source: dwmapi.dll1.5.dr Static PE information: section name: .kqpcjh
Source: dwmapi.dll1.5.dr Static PE information: section name: .unbzj
Source: dwmapi.dll1.5.dr Static PE information: section name: .tcuit
Source: dwmapi.dll1.5.dr Static PE information: section name: .sow
Source: dwmapi.dll1.5.dr Static PE information: section name: .kum
Source: WINSTA.dll.5.dr Static PE information: section name: .qkm
Source: WINSTA.dll.5.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.5.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.5.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.5.dr Static PE information: section name: .wnx
Source: WINSTA.dll.5.dr Static PE information: section name: .weqy
Source: WINSTA.dll.5.dr Static PE information: section name: .yby
Source: WINSTA.dll.5.dr Static PE information: section name: .ormx
Source: WINSTA.dll.5.dr Static PE information: section name: .dhclu
Source: WINSTA.dll.5.dr Static PE information: section name: .xmiul
Source: WINSTA.dll.5.dr Static PE information: section name: .tlwcxe
Source: WINSTA.dll.5.dr Static PE information: section name: .get
Source: WINSTA.dll.5.dr Static PE information: section name: .hzrd
Source: WINSTA.dll.5.dr Static PE information: section name: .qzu
Source: WINSTA.dll.5.dr Static PE information: section name: .nhglos
Source: WINSTA.dll.5.dr Static PE information: section name: .itzo
Source: WINSTA.dll.5.dr Static PE information: section name: .nmsaom
Source: WINSTA.dll.5.dr Static PE information: section name: .mas
Source: WINSTA.dll.5.dr Static PE information: section name: .ldov
Source: WINSTA.dll.5.dr Static PE information: section name: .bwslm
Source: WINSTA.dll.5.dr Static PE information: section name: .gfceb
Source: WINSTA.dll.5.dr Static PE information: section name: .nojmwb
Source: WINSTA.dll.5.dr Static PE information: section name: .naznun
Source: WINSTA.dll.5.dr Static PE information: section name: .iyfv
Source: WINSTA.dll.5.dr Static PE information: section name: .iqae
Source: WINSTA.dll.5.dr Static PE information: section name: .zco
Source: WINSTA.dll.5.dr Static PE information: section name: .kqpcjh
Source: WINSTA.dll.5.dr Static PE information: section name: .unbzj
Source: WINSTA.dll.5.dr Static PE information: section name: .tcuit
Source: WINSTA.dll.5.dr Static PE information: section name: .sow
Source: WINSTA.dll.5.dr Static PE information: section name: .ykoawy
Source: DUI70.dll2.5.dr Static PE information: section name: .qkm
Source: DUI70.dll2.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll2.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll2.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll2.5.dr Static PE information: section name: .wnx
Source: DUI70.dll2.5.dr Static PE information: section name: .weqy
Source: DUI70.dll2.5.dr Static PE information: section name: .yby
Source: DUI70.dll2.5.dr Static PE information: section name: .ormx
Source: DUI70.dll2.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll2.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll2.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll2.5.dr Static PE information: section name: .get
Source: DUI70.dll2.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll2.5.dr Static PE information: section name: .qzu
Source: DUI70.dll2.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll2.5.dr Static PE information: section name: .itzo
Source: DUI70.dll2.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll2.5.dr Static PE information: section name: .mas
Source: DUI70.dll2.5.dr Static PE information: section name: .ldov
Source: DUI70.dll2.5.dr Static PE information: section name: .bwslm
Source: DUI70.dll2.5.dr Static PE information: section name: .gfceb
Source: DUI70.dll2.5.dr Static PE information: section name: .nojmwb
Source: DUI70.dll2.5.dr Static PE information: section name: .naznun
Source: DUI70.dll2.5.dr Static PE information: section name: .iyfv
Source: DUI70.dll2.5.dr Static PE information: section name: .iqae
Source: DUI70.dll2.5.dr Static PE information: section name: .zco
Source: DUI70.dll2.5.dr Static PE information: section name: .kqpcjh
Source: DUI70.dll2.5.dr Static PE information: section name: .unbzj
Source: DUI70.dll2.5.dr Static PE information: section name: .tcuit
Source: DUI70.dll2.5.dr Static PE information: section name: .sow
Source: DUI70.dll2.5.dr Static PE information: section name: .eavhk
Source: VERSION.dll0.5.dr Static PE information: section name: .qkm
Source: VERSION.dll0.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll0.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll0.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll0.5.dr Static PE information: section name: .wnx
Source: VERSION.dll0.5.dr Static PE information: section name: .weqy
Source: VERSION.dll0.5.dr Static PE information: section name: .yby
Source: VERSION.dll0.5.dr Static PE information: section name: .ormx
Source: VERSION.dll0.5.dr Static PE information: section name: .dhclu
Source: VERSION.dll0.5.dr Static PE information: section name: .xmiul
Source: VERSION.dll0.5.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll0.5.dr Static PE information: section name: .get
Source: VERSION.dll0.5.dr Static PE information: section name: .hzrd
Source: VERSION.dll0.5.dr Static PE information: section name: .qzu
Source: VERSION.dll0.5.dr Static PE information: section name: .nhglos
Source: VERSION.dll0.5.dr Static PE information: section name: .itzo
Source: VERSION.dll0.5.dr Static PE information: section name: .nmsaom
Source: VERSION.dll0.5.dr Static PE information: section name: .mas
Source: VERSION.dll0.5.dr Static PE information: section name: .ldov
Source: VERSION.dll0.5.dr Static PE information: section name: .bwslm
Source: VERSION.dll0.5.dr Static PE information: section name: .gfceb
Source: VERSION.dll0.5.dr Static PE information: section name: .nojmwb
Source: VERSION.dll0.5.dr Static PE information: section name: .naznun
Source: VERSION.dll0.5.dr Static PE information: section name: .iyfv
Source: VERSION.dll0.5.dr Static PE information: section name: .iqae
Source: VERSION.dll0.5.dr Static PE information: section name: .zco
Source: VERSION.dll0.5.dr Static PE information: section name: .kqpcjh
Source: VERSION.dll0.5.dr Static PE information: section name: .unbzj
Source: VERSION.dll0.5.dr Static PE information: section name: .tcuit
Source: VERSION.dll0.5.dr Static PE information: section name: .sow
Source: VERSION.dll0.5.dr Static PE information: section name: .fwy
Source: VERSION.dll1.5.dr Static PE information: section name: .qkm
Source: VERSION.dll1.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll1.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll1.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll1.5.dr Static PE information: section name: .wnx
Source: VERSION.dll1.5.dr Static PE information: section name: .weqy
Source: VERSION.dll1.5.dr Static PE information: section name: .yby
Source: VERSION.dll1.5.dr Static PE information: section name: .ormx
Source: VERSION.dll1.5.dr Static PE information: section name: .dhclu
Source: VERSION.dll1.5.dr Static PE information: section name: .xmiul
Source: VERSION.dll1.5.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll1.5.dr Static PE information: section name: .get
Source: VERSION.dll1.5.dr Static PE information: section name: .hzrd
Source: VERSION.dll1.5.dr Static PE information: section name: .qzu
Source: VERSION.dll1.5.dr Static PE information: section name: .nhglos
Source: VERSION.dll1.5.dr Static PE information: section name: .itzo
Source: VERSION.dll1.5.dr Static PE information: section name: .nmsaom
Source: VERSION.dll1.5.dr Static PE information: section name: .mas
Source: VERSION.dll1.5.dr Static PE information: section name: .ldov
Source: VERSION.dll1.5.dr Static PE information: section name: .bwslm
Source: VERSION.dll1.5.dr Static PE information: section name: .gfceb
Source: VERSION.dll1.5.dr Static PE information: section name: .nojmwb
Source: VERSION.dll1.5.dr Static PE information: section name: .naznun
Source: VERSION.dll1.5.dr Static PE information: section name: .iyfv
Source: VERSION.dll1.5.dr Static PE information: section name: .iqae
Source: VERSION.dll1.5.dr Static PE information: section name: .zco
Source: VERSION.dll1.5.dr Static PE information: section name: .kqpcjh
Source: VERSION.dll1.5.dr Static PE information: section name: .unbzj
Source: VERSION.dll1.5.dr Static PE information: section name: .tcuit
Source: VERSION.dll1.5.dr Static PE information: section name: .sow
Source: VERSION.dll1.5.dr Static PE information: section name: .varqbp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 27_2_00007FF7B95BFA80
PE file contains an invalid checksum
Source: dwmapi.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x12e466
Source: K7dGM0P0yz.dll Static PE information: real checksum: 0x7d786c40 should be: 0x13a6c7
Source: DUI70.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1731b6
Source: WINSTA.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x138380
Source: VERSION.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x135f10
Source: DUI70.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17ceb6
Source: dwmapi.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x135098
Source: dxva2.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x131391
Source: VERSION.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13830e
Source: dwmapi.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x12f24d
Source: DUI70.dll2.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17e239
Source: DUI70.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x180503
Source: VERSION.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x12ff28
Binary contains a suspicious time stamp
Source: rdpinit.exe.5.dr Static PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YRu8\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\exotc\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rdM8VQT\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\eF0\AgentService.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Fox\dxva2.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\eF0\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1DwRown1P\wextract.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Fox\dccw.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hJetkV\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qe7nfWB\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\I0o\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hIiDwtvg\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\exotc\osk.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\I0o\rdpclip.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 24_2_00007FF79A6F3464

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 27_2_00007FF7B95BFA80
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4596 Thread sleep count: 38 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\1DwRown1P\wextract.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1C2EA4 rdtsc 20_2_00007FF6CE1C2EA4
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError, 27_2_00007FF7B958507C
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree, 27_2_00007FF7B95B2380
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException, 30_2_00007FF71B679110
Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.718116575.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000005.00000000.702853289.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.685209746.0000000004791000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.676311661.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95C0D50 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 27_2_00007FF7B95C0D50
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B642EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError, 30_2_00007FF71B642EF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 27_2_00007FF7B95BFA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF6369849E0 GetProcessHeap,HeapFree, 16_2_00007FF6369849E0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1C2EA4 rdtsc 20_2_00007FF6CE1C2EA4
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A29ED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput, 37_2_00007FF66A29ED00
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636987480 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF636987480
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636987680 SetUnhandledExceptionFilter, 16_2_00007FF636987680
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EF1E0 SetUnhandledExceptionFilter, 20_2_00007FF6CE1EF1E0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF6CE1EEA28
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1F72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FF6CE1F72B4
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F4014 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF79A6F4014
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3D90 SetUnhandledExceptionFilter, 24_2_00007FF79A6F3D90
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95CFC30 SetUnhandledExceptionFilter, 27_2_00007FF7B95CFC30
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95CFE9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00007FF7B95CFE9C
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Code function: 30_2_00007FF71B6F0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF71B6F0304
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D526F894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 32_2_00007FF7D526F894
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Code function: 32_2_00007FF7D526FBA0 SetUnhandledExceptionFilter, 32_2_00007FF7D526FBA0
Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Code function: 34_2_00007FF6312D2BE0 SetUnhandledExceptionFilter, 34_2_00007FF6312D2BE0
Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Code function: 34_2_00007FF6312D29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_00007FF6312D29D0
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_00007FF66A30BD44
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30BF20 SetUnhandledExceptionFilter, 37_2_00007FF66A30BF20
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A30B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_00007FF66A30B284

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: DUI70.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: 37_2_00007FF66A308CAC mouse_event,SetForegroundWindow, 37_2_00007FF66A308CAC
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree, 16_2_00007FF63698459C
Source: explorer.exe, 00000005.00000000.700623963.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.687657205.0000000005E50000.00000004.00000001.sdmp, rdpinit.exe Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp Binary or memory string: Initialize failedDwmpGetColorizationParameters failedDwmpSetColorizationParametersCRdpTrayTaskbarCreatedShell_TrayWndRdptrayTSCreateAppbarTrayFN failedTSCreateShellNotifyTrayFN failedTSCreateTaskbarTrayFn failedTSCreateWindowCloakingTracker failedFailed g_RailOrderEncoder.InitializeFailed g_RailOrderEncoder.StartUpdating max icon size for the tray icon failed.m_spAppBarTrayFnm_spWindowCloakingTrackerRemoveWindow failedRemoveDestroyedWindows failed~/
Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\eF0\AgentService.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Fox\dccw.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 37_2_00007FF66A2F0A3C
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 37_2_00007FF66A2FCE28
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 37_2_00007FF66A2FA840
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx, 37_2_00007FF66A276068
Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe Code function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize, 37_2_00007FF66A2972C8
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError, 27_2_00007FF7B958507C
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636987810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 16_2_00007FF636987810
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1EE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA, 20_2_00007FF6CE1EE34B
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F1B64 memset,GetModuleHandleW,LoadStringW,LocalAlloc,GetUserNameExW,GetLastError,LocalAlloc,LocalFree,LocalFree,WindowsDeleteString,WindowsDeleteString,GetUserNameExW,wcschr,WindowsCreateString,WindowsDeleteString,WindowsCreateString,WindowsDeleteString,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsIsStringEmpty,WindowsIsStringEmpty,WindowsCreateStringReference,RaiseException,RoActivateInstance,RaiseException,WindowsCreateStringReference,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,GetSystemTimeAsFileTime,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsCreateStringReference,RaiseException, 24_2_00007FF79A6F1B64

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF6369847F9 RpcBindingFree, 16_2_00007FF6369847F9
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree, 16_2_00007FF63698459C
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636984932 RpcBindingFree, 16_2_00007FF636984932
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636984730 NdrClientCall3,RpcBindingFree, 16_2_00007FF636984730
Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe Code function: 16_2_00007FF636984868 NdrClientCall3,RpcBindingFree, 16_2_00007FF636984868
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E3F90 RpcBindingFree, 20_2_00007FF6CE1E3F90
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW, 20_2_00007FF6CE1E1FE0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW, 20_2_00007FF6CE1E3FE0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1CD87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle, 20_2_00007FF6CE1CD87C
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen, 20_2_00007FF6CE1E1DF0
Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe Code function: 20_2_00007FF6CE1E3630 SetPropW,RpcBindingFree, 20_2_00007FF6CE1E3630
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3578 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, 24_2_00007FF79A6F3578
Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe Code function: 24_2_00007FF79A6F3020 memset,RpcBindingFree,GetAncestor,EnableWindow,CloseHandle,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,EnableWindow,LocalFree, 24_2_00007FF79A6F3020
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A9180 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen, 27_2_00007FF7B95A9180
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958B1A4 AllocateAndInitializeSid,GetCurrentProcessId,ProcessIdToSessionId,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateEventW,GetLastError, 27_2_00007FF7B958B1A4
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A64D0 GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcServerListen, 27_2_00007FF7B95A64D0
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B95A9370 RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,CloseHandle,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW, 27_2_00007FF7B95A9370
Source: C:\Users\user\AppData\Local\I0o\rdpclip.exe Code function: 27_2_00007FF7B958AF50 RpcBindingInqAuthClientW,RpcImpersonateClient,RpcRevertToSelf, 27_2_00007FF7B958AF50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492437 Sample: K7dGM0P0yz Startdate: 28/09/2021 Architecture: WINDOWS Score: 96 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\I0o\dwmapi.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\Fox\dxva2.dll, PE32+ 19->37 dropped 39 21 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 rdpclip.exe 19->25         started        27 bdechangepin.exe 19->27         started        29 wlrmdr.exe 19->29         started        31 13 other processes 19->31 signatures8 process9
No contacted IP infos