Windows Analysis Report DC2zX44MQr

Overview

General Information

Sample Name: DC2zX44MQr (renamed file extension from none to dll)
Analysis ID: 492503
MD5: 94f8317b419e9476120b14a29d9b05d2
SHA1: f2b03dd4441f3808468bdbb8b26273cfb41b5298
SHA256: 2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: DC2zX44MQr.dll Virustotal: Detection: 67% Perma Link
Source: DC2zX44MQr.dll ReversingLabs: Detection: 80%
Antivirus / Scanner detection for submitted sample
Source: DC2zX44MQr.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\sBx0fm\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\xlPP\wer.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\mJLa\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\rm4w0\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: DC2zX44MQr.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\sBx0fm\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\xlPP\wer.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\mJLa\MFC42u.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\rm4w0\OLEACC.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A414F52C CryptProtectData,LocalAlloc,LocalFree, 40_2_00007FF7A414F52C
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A414F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree, 40_2_00007FF7A414F8FC
Source: DC2zX44MQr.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
Source: Binary string: Utilman.pdb source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe.5.dr
Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
Source: Binary string: psr.pdbGCTL source: psr.exe.5.dr
Source: Binary string: EaseOfAccessDialog.pdb source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe.5.dr
Source: Binary string: EaseOfAccessDialog.pdbGCTL source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
Source: Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe.5.dr
Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
Source: Binary string: mstsc.pdb source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
Source: Binary string: psr.pdb source: psr.exe.5.dr
Source: Binary string: RDVGHelper.pdb source: RDVGHelper.exe.5.dr
Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FABE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 38_2_00007FF776FABE54
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 38_2_00007FF776FB1BA0
Source: explorer.exe, 00000005.00000000.301625315.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF7198411A0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendInput, 28_2_00007FF7198411A0
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C3956C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput, 33_2_00007FF792C3956C

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000023.00000002.498301124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.525725102.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.252587929.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.272674434.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.258809816.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.330302590.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.266253941.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.366691390.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.429090698.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.555665664.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.459149344.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.393120079.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007EA0 0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006EB0 0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400276C0 0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FEC0 0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EED0 0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B6E0 0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053F20 0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022730 0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029780 0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018F80 0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003EFB0 0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400067B0 0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400667D0 0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060FE0 0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D52BA0 25_2_00007FF644D52BA0
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D522B0 25_2_00007FF644D522B0
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF719844AA4 28_2_00007FF719844AA4
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF7198416F8 28_2_00007FF7198416F8
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984B230 28_2_00007FF71984B230
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF719849A10 28_2_00007FF719849A10
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF7198418D0 28_2_00007FF7198418D0
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C32FD0 33_2_00007FF792C32FD0
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C37F6C 33_2_00007FF792C37F6C
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C36890 33_2_00007FF792C36890
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C34830 33_2_00007FF792C34830
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Code function: 35_2_00007FF6CB0231D0 35_2_00007FF6CB0231D0
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB2438 38_2_00007FF776FB2438
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA6848 38_2_00007FF776FA6848
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB0A58 38_2_00007FF776FB0A58
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA7EFC 38_2_00007FF776FA7EFC
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA2F54 38_2_00007FF776FA2F54
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FAE368 38_2_00007FF776FAE368
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FACFF0 38_2_00007FF776FACFF0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E39A0 40_2_00007FF7A40E39A0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E8DF0 40_2_00007FF7A40E8DF0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E35EC 40_2_00007FF7A40E35EC
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40ECE08 40_2_00007FF7A40ECE08
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A4161690 40_2_00007FF7A4161690
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40DDA8C 40_2_00007FF7A40DDA8C
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40EEAB4 40_2_00007FF7A40EEAB4
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40D4EC4 40_2_00007FF7A40D4EC4
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40F12E0 40_2_00007FF7A40F12E0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A4114320 40_2_00007FF7A4114320
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40D6B94 40_2_00007FF7A40D6B94
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E77C0 40_2_00007FF7A40E77C0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40D5410 40_2_00007FF7A40D5410
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E8060 40_2_00007FF7A40E8060
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40EA858 40_2_00007FF7A40EA858
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E84C0 40_2_00007FF7A40E84C0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E64DC 40_2_00007FF7A40E64DC
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984A2C8 NtQueryWnfStateData,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CoCreateInstance,SystemParametersInfoW, 28_2_00007FF71984A2C8
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF719849640 NtQueryWnfStateData, 28_2_00007FF719849640
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C338C0 NtQueryWnfStateData,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CoCreateInstance,SystemParametersInfoW, 33_2_00007FF792C338C0
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C3C164 NtQueryWnfStateData, 33_2_00007FF792C3C164
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB2438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 38_2_00007FF776FB2438
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA82EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 38_2_00007FF776FA82EC
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB1F54 NtQueryLicenseValue, 38_2_00007FF776FB1F54
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FAE368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 38_2_00007FF776FAE368
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA8404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 38_2_00007FF776FA8404
PE file contains executable resources (Code or Archives)
Source: DmNotificationBroker.exe.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: DC2zX44MQr.dll Binary or memory string: OriginalFilenamekbdyj% vs DC2zX44MQr.dll
PE file contains strange resources
Source: EaseOfAccessDialog.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EaseOfAccessDialog.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EaseOfAccessDialog.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: DUI70.dll0.5.dr Static PE information: Number of sections : 40 > 10
Source: DUI70.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: WTSAPI32.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: DC2zX44MQr.dll Static PE information: Number of sections : 39 > 10
Source: WINSTA.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: wer.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: DUI70.dll1.5.dr Static PE information: Number of sections : 40 > 10
Source: VERSION.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: credui.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: MFC42u.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: OLEACC.dll.5.dr Static PE information: Number of sections : 40 > 10
Source: DC2zX44MQr.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: credui.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DC2zX44MQr.dll Virustotal: Detection: 67%
Source: DC2zX44MQr.dll ReversingLabs: Detection: 80%
Source: DC2zX44MQr.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\xlPP\wermgr.exe C:\Users\user\AppData\Local\xlPP\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\xlPP\wermgr.exe C:\Users\user\AppData\Local\xlPP\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@45/21@0/0
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF686901A1C CoInitializeEx,InitProcessPriv,InitThread,CoCreateInstance,#100,TranslateMessage,DispatchMessageW,GetMessageW,#101,UnInitThread,UnInitProcessPriv,CoUninitialize, 19_2_00007FF686901A1C
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor, 38_2_00007FF776FADE98
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D541EC LoadStringW,GetLastError,LoadStringW,GetLastError,FormatMessageW,GetLastError,WinStationSendMessageW,GetLastError,LocalFree, 25_2_00007FF644D541EC
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA1A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle, 38_2_00007FF776FA1A70
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Mutant created: \Sessions\1\BaseNamedObjects\{a917c379-c9d3-7f7b-0d3b-a731b6dfaaa9}
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Mutant created: \Sessions\1\BaseNamedObjects\{19d566d2-4a0e-150a-d927-cc8fa9ee6bbf}
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF719846A78 LoadResource,LockResource,SizeofResource, 28_2_00007FF719846A78
Source: DC2zX44MQr.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: DC2zX44MQr.dll Static file information: File size 1236992 > 1048576
Source: DC2zX44MQr.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
Source: Binary string: Utilman.pdb source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe.5.dr
Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
Source: Binary string: psr.pdbGCTL source: psr.exe.5.dr
Source: Binary string: EaseOfAccessDialog.pdb source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe.5.dr
Source: Binary string: EaseOfAccessDialog.pdbGCTL source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
Source: Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe.5.dr
Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
Source: Binary string: mstsc.pdb source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
Source: Binary string: psr.pdb source: psr.exe.5.dr
Source: Binary string: RDVGHelper.pdb source: RDVGHelper.exe.5.dr
Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
PE file contains sections with non-standard names
Source: DC2zX44MQr.dll Static PE information: section name: .qkm
Source: DC2zX44MQr.dll Static PE information: section name: .cvjb
Source: DC2zX44MQr.dll Static PE information: section name: .tlmkv
Source: DC2zX44MQr.dll Static PE information: section name: .wucsxe
Source: DC2zX44MQr.dll Static PE information: section name: .wnx
Source: DC2zX44MQr.dll Static PE information: section name: .weqy
Source: DC2zX44MQr.dll Static PE information: section name: .yby
Source: DC2zX44MQr.dll Static PE information: section name: .ormx
Source: DC2zX44MQr.dll Static PE information: section name: .dhclu
Source: DC2zX44MQr.dll Static PE information: section name: .xmiul
Source: DC2zX44MQr.dll Static PE information: section name: .tlwcxe
Source: DC2zX44MQr.dll Static PE information: section name: .get
Source: DC2zX44MQr.dll Static PE information: section name: .hzrd
Source: DC2zX44MQr.dll Static PE information: section name: .qzu
Source: DC2zX44MQr.dll Static PE information: section name: .nhglos
Source: DC2zX44MQr.dll Static PE information: section name: .itzo
Source: DC2zX44MQr.dll Static PE information: section name: .nmsaom
Source: DC2zX44MQr.dll Static PE information: section name: .rvhi
Source: DC2zX44MQr.dll Static PE information: section name: .ucrzce
Source: DC2zX44MQr.dll Static PE information: section name: .ijc
Source: DC2zX44MQr.dll Static PE information: section name: .ohvs
Source: DC2zX44MQr.dll Static PE information: section name: .rlvrc
Source: DC2zX44MQr.dll Static PE information: section name: .yjv
Source: DC2zX44MQr.dll Static PE information: section name: .clbcyy
Source: DC2zX44MQr.dll Static PE information: section name: .xcyn
Source: DC2zX44MQr.dll Static PE information: section name: .boqx
Source: DC2zX44MQr.dll Static PE information: section name: .rnlia
Source: DC2zX44MQr.dll Static PE information: section name: .ctip
Source: DC2zX44MQr.dll Static PE information: section name: .fkv
Source: DC2zX44MQr.dll Static PE information: section name: .pczrv
Source: DC2zX44MQr.dll Static PE information: section name: .ibglr
Source: DC2zX44MQr.dll Static PE information: section name: .uirkq
Source: DC2zX44MQr.dll Static PE information: section name: .xmo
Source: DmNotificationBroker.exe.5.dr Static PE information: section name: .imrsiv
Source: Utilman.exe.5.dr Static PE information: section name: .imrsiv
Source: wermgr.exe.5.dr Static PE information: section name: .imrsiv
Source: wermgr.exe.5.dr Static PE information: section name: .didat
Source: mstsc.exe.5.dr Static PE information: section name: .didat
Source: PasswordOnWakeSettingFlyout.exe.5.dr Static PE information: section name: .imrsiv
Source: psr.exe.5.dr Static PE information: section name: .didat
Source: DUI70.dll.5.dr Static PE information: section name: .qkm
Source: DUI70.dll.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr Static PE information: section name: .wnx
Source: DUI70.dll.5.dr Static PE information: section name: .weqy
Source: DUI70.dll.5.dr Static PE information: section name: .yby
Source: DUI70.dll.5.dr Static PE information: section name: .ormx
Source: DUI70.dll.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll.5.dr Static PE information: section name: .get
Source: DUI70.dll.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll.5.dr Static PE information: section name: .qzu
Source: DUI70.dll.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll.5.dr Static PE information: section name: .itzo
Source: DUI70.dll.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll.5.dr Static PE information: section name: .rvhi
Source: DUI70.dll.5.dr Static PE information: section name: .ucrzce
Source: DUI70.dll.5.dr Static PE information: section name: .ijc
Source: DUI70.dll.5.dr Static PE information: section name: .ohvs
Source: DUI70.dll.5.dr Static PE information: section name: .rlvrc
Source: DUI70.dll.5.dr Static PE information: section name: .yjv
Source: DUI70.dll.5.dr Static PE information: section name: .clbcyy
Source: DUI70.dll.5.dr Static PE information: section name: .xcyn
Source: DUI70.dll.5.dr Static PE information: section name: .boqx
Source: DUI70.dll.5.dr Static PE information: section name: .rnlia
Source: DUI70.dll.5.dr Static PE information: section name: .ctip
Source: DUI70.dll.5.dr Static PE information: section name: .fkv
Source: DUI70.dll.5.dr Static PE information: section name: .pczrv
Source: DUI70.dll.5.dr Static PE information: section name: .ibglr
Source: DUI70.dll.5.dr Static PE information: section name: .uirkq
Source: DUI70.dll.5.dr Static PE information: section name: .xmo
Source: DUI70.dll.5.dr Static PE information: section name: .req
Source: WINSTA.dll.5.dr Static PE information: section name: .qkm
Source: WINSTA.dll.5.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.5.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.5.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.5.dr Static PE information: section name: .wnx
Source: WINSTA.dll.5.dr Static PE information: section name: .weqy
Source: WINSTA.dll.5.dr Static PE information: section name: .yby
Source: WINSTA.dll.5.dr Static PE information: section name: .ormx
Source: WINSTA.dll.5.dr Static PE information: section name: .dhclu
Source: WINSTA.dll.5.dr Static PE information: section name: .xmiul
Source: WINSTA.dll.5.dr Static PE information: section name: .tlwcxe
Source: WINSTA.dll.5.dr Static PE information: section name: .get
Source: WINSTA.dll.5.dr Static PE information: section name: .hzrd
Source: WINSTA.dll.5.dr Static PE information: section name: .qzu
Source: WINSTA.dll.5.dr Static PE information: section name: .nhglos
Source: WINSTA.dll.5.dr Static PE information: section name: .itzo
Source: WINSTA.dll.5.dr Static PE information: section name: .nmsaom
Source: WINSTA.dll.5.dr Static PE information: section name: .rvhi
Source: WINSTA.dll.5.dr Static PE information: section name: .ucrzce
Source: WINSTA.dll.5.dr Static PE information: section name: .ijc
Source: WINSTA.dll.5.dr Static PE information: section name: .ohvs
Source: WINSTA.dll.5.dr Static PE information: section name: .rlvrc
Source: WINSTA.dll.5.dr Static PE information: section name: .yjv
Source: WINSTA.dll.5.dr Static PE information: section name: .clbcyy
Source: WINSTA.dll.5.dr Static PE information: section name: .xcyn
Source: WINSTA.dll.5.dr Static PE information: section name: .boqx
Source: WINSTA.dll.5.dr Static PE information: section name: .rnlia
Source: WINSTA.dll.5.dr Static PE information: section name: .ctip
Source: WINSTA.dll.5.dr Static PE information: section name: .fkv
Source: WINSTA.dll.5.dr Static PE information: section name: .pczrv
Source: WINSTA.dll.5.dr Static PE information: section name: .ibglr
Source: WINSTA.dll.5.dr Static PE information: section name: .uirkq
Source: WINSTA.dll.5.dr Static PE information: section name: .xmo
Source: WINSTA.dll.5.dr Static PE information: section name: .jki
Source: DUI70.dll0.5.dr Static PE information: section name: .qkm
Source: DUI70.dll0.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.5.dr Static PE information: section name: .wnx
Source: DUI70.dll0.5.dr Static PE information: section name: .weqy
Source: DUI70.dll0.5.dr Static PE information: section name: .yby
Source: DUI70.dll0.5.dr Static PE information: section name: .ormx
Source: DUI70.dll0.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll0.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll0.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll0.5.dr Static PE information: section name: .get
Source: DUI70.dll0.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll0.5.dr Static PE information: section name: .qzu
Source: DUI70.dll0.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll0.5.dr Static PE information: section name: .itzo
Source: DUI70.dll0.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll0.5.dr Static PE information: section name: .rvhi
Source: DUI70.dll0.5.dr Static PE information: section name: .ucrzce
Source: DUI70.dll0.5.dr Static PE information: section name: .ijc
Source: DUI70.dll0.5.dr Static PE information: section name: .ohvs
Source: DUI70.dll0.5.dr Static PE information: section name: .rlvrc
Source: DUI70.dll0.5.dr Static PE information: section name: .yjv
Source: DUI70.dll0.5.dr Static PE information: section name: .clbcyy
Source: DUI70.dll0.5.dr Static PE information: section name: .xcyn
Source: DUI70.dll0.5.dr Static PE information: section name: .boqx
Source: DUI70.dll0.5.dr Static PE information: section name: .rnlia
Source: DUI70.dll0.5.dr Static PE information: section name: .ctip
Source: DUI70.dll0.5.dr Static PE information: section name: .fkv
Source: DUI70.dll0.5.dr Static PE information: section name: .pczrv
Source: DUI70.dll0.5.dr Static PE information: section name: .ibglr
Source: DUI70.dll0.5.dr Static PE information: section name: .uirkq
Source: DUI70.dll0.5.dr Static PE information: section name: .xmo
Source: DUI70.dll0.5.dr Static PE information: section name: .oni
Source: OLEACC.dll.5.dr Static PE information: section name: .qkm
Source: OLEACC.dll.5.dr Static PE information: section name: .cvjb
Source: OLEACC.dll.5.dr Static PE information: section name: .tlmkv
Source: OLEACC.dll.5.dr Static PE information: section name: .wucsxe
Source: OLEACC.dll.5.dr Static PE information: section name: .wnx
Source: OLEACC.dll.5.dr Static PE information: section name: .weqy
Source: OLEACC.dll.5.dr Static PE information: section name: .yby
Source: OLEACC.dll.5.dr Static PE information: section name: .ormx
Source: OLEACC.dll.5.dr Static PE information: section name: .dhclu
Source: OLEACC.dll.5.dr Static PE information: section name: .xmiul
Source: OLEACC.dll.5.dr Static PE information: section name: .tlwcxe
Source: OLEACC.dll.5.dr Static PE information: section name: .get
Source: OLEACC.dll.5.dr Static PE information: section name: .hzrd
Source: OLEACC.dll.5.dr Static PE information: section name: .qzu
Source: OLEACC.dll.5.dr Static PE information: section name: .nhglos
Source: OLEACC.dll.5.dr Static PE information: section name: .itzo
Source: OLEACC.dll.5.dr Static PE information: section name: .nmsaom
Source: OLEACC.dll.5.dr Static PE information: section name: .rvhi
Source: OLEACC.dll.5.dr Static PE information: section name: .ucrzce
Source: OLEACC.dll.5.dr Static PE information: section name: .ijc
Source: OLEACC.dll.5.dr Static PE information: section name: .ohvs
Source: OLEACC.dll.5.dr Static PE information: section name: .rlvrc
Source: OLEACC.dll.5.dr Static PE information: section name: .yjv
Source: OLEACC.dll.5.dr Static PE information: section name: .clbcyy
Source: OLEACC.dll.5.dr Static PE information: section name: .xcyn
Source: OLEACC.dll.5.dr Static PE information: section name: .boqx
Source: OLEACC.dll.5.dr Static PE information: section name: .rnlia
Source: OLEACC.dll.5.dr Static PE information: section name: .ctip
Source: OLEACC.dll.5.dr Static PE information: section name: .fkv
Source: OLEACC.dll.5.dr Static PE information: section name: .pczrv
Source: OLEACC.dll.5.dr Static PE information: section name: .ibglr
Source: OLEACC.dll.5.dr Static PE information: section name: .uirkq
Source: OLEACC.dll.5.dr Static PE information: section name: .xmo
Source: OLEACC.dll.5.dr Static PE information: section name: .nncdb
Source: MFC42u.dll.5.dr Static PE information: section name: .qkm
Source: MFC42u.dll.5.dr Static PE information: section name: .cvjb
Source: MFC42u.dll.5.dr Static PE information: section name: .tlmkv
Source: MFC42u.dll.5.dr Static PE information: section name: .wucsxe
Source: MFC42u.dll.5.dr Static PE information: section name: .wnx
Source: MFC42u.dll.5.dr Static PE information: section name: .weqy
Source: MFC42u.dll.5.dr Static PE information: section name: .yby
Source: MFC42u.dll.5.dr Static PE information: section name: .ormx
Source: MFC42u.dll.5.dr Static PE information: section name: .dhclu
Source: MFC42u.dll.5.dr Static PE information: section name: .xmiul
Source: MFC42u.dll.5.dr Static PE information: section name: .tlwcxe
Source: MFC42u.dll.5.dr Static PE information: section name: .get
Source: MFC42u.dll.5.dr Static PE information: section name: .hzrd
Source: MFC42u.dll.5.dr Static PE information: section name: .qzu
Source: MFC42u.dll.5.dr Static PE information: section name: .nhglos
Source: MFC42u.dll.5.dr Static PE information: section name: .itzo
Source: MFC42u.dll.5.dr Static PE information: section name: .nmsaom
Source: MFC42u.dll.5.dr Static PE information: section name: .rvhi
Source: MFC42u.dll.5.dr Static PE information: section name: .ucrzce
Source: MFC42u.dll.5.dr Static PE information: section name: .ijc
Source: MFC42u.dll.5.dr Static PE information: section name: .ohvs
Source: MFC42u.dll.5.dr Static PE information: section name: .rlvrc
Source: MFC42u.dll.5.dr Static PE information: section name: .yjv
Source: MFC42u.dll.5.dr Static PE information: section name: .clbcyy
Source: MFC42u.dll.5.dr Static PE information: section name: .xcyn
Source: MFC42u.dll.5.dr Static PE information: section name: .boqx
Source: MFC42u.dll.5.dr Static PE information: section name: .rnlia
Source: MFC42u.dll.5.dr Static PE information: section name: .ctip
Source: MFC42u.dll.5.dr Static PE information: section name: .fkv
Source: MFC42u.dll.5.dr Static PE information: section name: .pczrv
Source: MFC42u.dll.5.dr Static PE information: section name: .ibglr
Source: MFC42u.dll.5.dr Static PE information: section name: .uirkq
Source: MFC42u.dll.5.dr Static PE information: section name: .xmo
Source: MFC42u.dll.5.dr Static PE information: section name: .nhpi
Source: wer.dll.5.dr Static PE information: section name: .qkm
Source: wer.dll.5.dr Static PE information: section name: .cvjb
Source: wer.dll.5.dr Static PE information: section name: .tlmkv
Source: wer.dll.5.dr Static PE information: section name: .wucsxe
Source: wer.dll.5.dr Static PE information: section name: .wnx
Source: wer.dll.5.dr Static PE information: section name: .weqy
Source: wer.dll.5.dr Static PE information: section name: .yby
Source: wer.dll.5.dr Static PE information: section name: .ormx
Source: wer.dll.5.dr Static PE information: section name: .dhclu
Source: wer.dll.5.dr Static PE information: section name: .xmiul
Source: wer.dll.5.dr Static PE information: section name: .tlwcxe
Source: wer.dll.5.dr Static PE information: section name: .get
Source: wer.dll.5.dr Static PE information: section name: .hzrd
Source: wer.dll.5.dr Static PE information: section name: .qzu
Source: wer.dll.5.dr Static PE information: section name: .nhglos
Source: wer.dll.5.dr Static PE information: section name: .itzo
Source: wer.dll.5.dr Static PE information: section name: .nmsaom
Source: wer.dll.5.dr Static PE information: section name: .rvhi
Source: wer.dll.5.dr Static PE information: section name: .ucrzce
Source: wer.dll.5.dr Static PE information: section name: .ijc
Source: wer.dll.5.dr Static PE information: section name: .ohvs
Source: wer.dll.5.dr Static PE information: section name: .rlvrc
Source: wer.dll.5.dr Static PE information: section name: .yjv
Source: wer.dll.5.dr Static PE information: section name: .clbcyy
Source: wer.dll.5.dr Static PE information: section name: .xcyn
Source: wer.dll.5.dr Static PE information: section name: .boqx
Source: wer.dll.5.dr Static PE information: section name: .rnlia
Source: wer.dll.5.dr Static PE information: section name: .ctip
Source: wer.dll.5.dr Static PE information: section name: .fkv
Source: wer.dll.5.dr Static PE information: section name: .pczrv
Source: wer.dll.5.dr Static PE information: section name: .ibglr
Source: wer.dll.5.dr Static PE information: section name: .uirkq
Source: wer.dll.5.dr Static PE information: section name: .xmo
Source: wer.dll.5.dr Static PE information: section name: .hrnn
Source: credui.dll.5.dr Static PE information: section name: .qkm
Source: credui.dll.5.dr Static PE information: section name: .cvjb
Source: credui.dll.5.dr Static PE information: section name: .tlmkv
Source: credui.dll.5.dr Static PE information: section name: .wucsxe
Source: credui.dll.5.dr Static PE information: section name: .wnx
Source: credui.dll.5.dr Static PE information: section name: .weqy
Source: credui.dll.5.dr Static PE information: section name: .yby
Source: credui.dll.5.dr Static PE information: section name: .ormx
Source: credui.dll.5.dr Static PE information: section name: .dhclu
Source: credui.dll.5.dr Static PE information: section name: .xmiul
Source: credui.dll.5.dr Static PE information: section name: .tlwcxe
Source: credui.dll.5.dr Static PE information: section name: .get
Source: credui.dll.5.dr Static PE information: section name: .hzrd
Source: credui.dll.5.dr Static PE information: section name: .qzu
Source: credui.dll.5.dr Static PE information: section name: .nhglos
Source: credui.dll.5.dr Static PE information: section name: .itzo
Source: credui.dll.5.dr Static PE information: section name: .nmsaom
Source: credui.dll.5.dr Static PE information: section name: .rvhi
Source: credui.dll.5.dr Static PE information: section name: .ucrzce
Source: credui.dll.5.dr Static PE information: section name: .ijc
Source: credui.dll.5.dr Static PE information: section name: .ohvs
Source: credui.dll.5.dr Static PE information: section name: .rlvrc
Source: credui.dll.5.dr Static PE information: section name: .yjv
Source: credui.dll.5.dr Static PE information: section name: .clbcyy
Source: credui.dll.5.dr Static PE information: section name: .xcyn
Source: credui.dll.5.dr Static PE information: section name: .boqx
Source: credui.dll.5.dr Static PE information: section name: .rnlia
Source: credui.dll.5.dr Static PE information: section name: .ctip
Source: credui.dll.5.dr Static PE information: section name: .fkv
Source: credui.dll.5.dr Static PE information: section name: .pczrv
Source: credui.dll.5.dr Static PE information: section name: .ibglr
Source: credui.dll.5.dr Static PE information: section name: .uirkq
Source: credui.dll.5.dr Static PE information: section name: .xmo
Source: credui.dll.5.dr Static PE information: section name: .efn
Source: DUI70.dll1.5.dr Static PE information: section name: .qkm
Source: DUI70.dll1.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll1.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll1.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll1.5.dr Static PE information: section name: .wnx
Source: DUI70.dll1.5.dr Static PE information: section name: .weqy
Source: DUI70.dll1.5.dr Static PE information: section name: .yby
Source: DUI70.dll1.5.dr Static PE information: section name: .ormx
Source: DUI70.dll1.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll1.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll1.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll1.5.dr Static PE information: section name: .get
Source: DUI70.dll1.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll1.5.dr Static PE information: section name: .qzu
Source: DUI70.dll1.5.dr Static PE information: section name: .nhglos
Source: DUI70.dll1.5.dr Static PE information: section name: .itzo
Source: DUI70.dll1.5.dr Static PE information: section name: .nmsaom
Source: DUI70.dll1.5.dr Static PE information: section name: .rvhi
Source: DUI70.dll1.5.dr Static PE information: section name: .ucrzce
Source: DUI70.dll1.5.dr Static PE information: section name: .ijc
Source: DUI70.dll1.5.dr Static PE information: section name: .ohvs
Source: DUI70.dll1.5.dr Static PE information: section name: .rlvrc
Source: DUI70.dll1.5.dr Static PE information: section name: .yjv
Source: DUI70.dll1.5.dr Static PE information: section name: .clbcyy
Source: DUI70.dll1.5.dr Static PE information: section name: .xcyn
Source: DUI70.dll1.5.dr Static PE information: section name: .boqx
Source: DUI70.dll1.5.dr Static PE information: section name: .rnlia
Source: DUI70.dll1.5.dr Static PE information: section name: .ctip
Source: DUI70.dll1.5.dr Static PE information: section name: .fkv
Source: DUI70.dll1.5.dr Static PE information: section name: .pczrv
Source: DUI70.dll1.5.dr Static PE information: section name: .ibglr
Source: DUI70.dll1.5.dr Static PE information: section name: .uirkq
Source: DUI70.dll1.5.dr Static PE information: section name: .xmo
Source: DUI70.dll1.5.dr Static PE information: section name: .udkto
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wnx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .weqy
Source: WTSAPI32.dll.5.dr Static PE information: section name: .yby
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ormx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dhclu
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xmiul
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlwcxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .get
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hzrd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qzu
Source: WTSAPI32.dll.5.dr Static PE information: section name: .nhglos
Source: WTSAPI32.dll.5.dr Static PE information: section name: .itzo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .nmsaom
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rvhi
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ucrzce
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ijc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ohvs
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rlvrc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .yjv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .clbcyy
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xcyn
Source: WTSAPI32.dll.5.dr Static PE information: section name: .boqx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rnlia
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ctip
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fkv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .pczrv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ibglr
Source: WTSAPI32.dll.5.dr Static PE information: section name: .uirkq
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xmo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fmi
Source: VERSION.dll.5.dr Static PE information: section name: .qkm
Source: VERSION.dll.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr Static PE information: section name: .wnx
Source: VERSION.dll.5.dr Static PE information: section name: .weqy
Source: VERSION.dll.5.dr Static PE information: section name: .yby
Source: VERSION.dll.5.dr Static PE information: section name: .ormx
Source: VERSION.dll.5.dr Static PE information: section name: .dhclu
Source: VERSION.dll.5.dr Static PE information: section name: .xmiul
Source: VERSION.dll.5.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll.5.dr Static PE information: section name: .get
Source: VERSION.dll.5.dr Static PE information: section name: .hzrd
Source: VERSION.dll.5.dr Static PE information: section name: .qzu
Source: VERSION.dll.5.dr Static PE information: section name: .nhglos
Source: VERSION.dll.5.dr Static PE information: section name: .itzo
Source: VERSION.dll.5.dr Static PE information: section name: .nmsaom
Source: VERSION.dll.5.dr Static PE information: section name: .rvhi
Source: VERSION.dll.5.dr Static PE information: section name: .ucrzce
Source: VERSION.dll.5.dr Static PE information: section name: .ijc
Source: VERSION.dll.5.dr Static PE information: section name: .ohvs
Source: VERSION.dll.5.dr Static PE information: section name: .rlvrc
Source: VERSION.dll.5.dr Static PE information: section name: .yjv
Source: VERSION.dll.5.dr Static PE information: section name: .clbcyy
Source: VERSION.dll.5.dr Static PE information: section name: .xcyn
Source: VERSION.dll.5.dr Static PE information: section name: .boqx
Source: VERSION.dll.5.dr Static PE information: section name: .rnlia
Source: VERSION.dll.5.dr Static PE information: section name: .ctip
Source: VERSION.dll.5.dr Static PE information: section name: .fkv
Source: VERSION.dll.5.dr Static PE information: section name: .pczrv
Source: VERSION.dll.5.dr Static PE information: section name: .ibglr
Source: VERSION.dll.5.dr Static PE information: section name: .uirkq
Source: VERSION.dll.5.dr Static PE information: section name: .xmo
Source: VERSION.dll.5.dr Static PE information: section name: .okbt
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40EBEA0 LoadLibraryW,GetProcAddress,GetProcAddress, 40_2_00007FF7A40EBEA0
PE file contains an invalid checksum
Source: DUI70.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x18312b
Source: DUI70.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17960c
Source: WTSAPI32.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x130bc3
Source: DC2zX44MQr.dll Static PE information: real checksum: 0x7d786c40 should be: 0x136b0f
Source: WINSTA.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1382ec
Source: wer.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x135c0e
Source: DUI70.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x175fcb
Source: VERSION.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13d91d
Source: credui.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1357c2
Source: MFC42u.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1426da
Source: OLEACC.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13ea9a
Binary contains a suspicious time stamp
Source: DmNotificationBroker.exe.5.dr Static PE information: 0xF8A808F8 [Tue Mar 14 06:45:12 2102 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rm4w0\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mJLa\MFC42u.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\sBx0fm\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\sBx0fm\psr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KbLvcSLVf\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WkAB\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xlPP\wermgr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xlPP\wer.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A415C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos, 40_2_00007FF7A415C560
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40DF5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW, 40_2_00007FF7A40DF5A4
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E39A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW, 40_2_00007FF7A40E39A0
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40DCE48 IsIconic,GetWindowPlacement,GetLastError, 40_2_00007FF7A40DCE48
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40D9A6C IsIconic,GetWindowPlacement,GetWindowRect, 40_2_00007FF7A40D9A6C
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40DCF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow, 40_2_00007FF7A40DCF28
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E1B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate, 40_2_00007FF7A40E1B44
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E2F5C IsWindowVisible,IsIconic, 40_2_00007FF7A40E2F5C
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E2884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement, 40_2_00007FF7A40E2884
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40E04F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem, 40_2_00007FF7A40E04F8
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4492 Thread sleep count: 33 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sBx0fm\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sBx0fm\psr.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exe Jump to dropped file
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FA7BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF776FA7CE0h 38_2_00007FF776FA7BC4
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FABE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 38_2_00007FF776FABE54
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 38_2_00007FF776FB1BA0
Source: explorer.exe, 00000005.00000000.272660584.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.272660584.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.261174760.000000000E9FF000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000005.00000000.268107178.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.269963872.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Code function: 35_2_00007FF6CB022110 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 35_2_00007FF6CB022110
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A40EBEA0 LoadLibraryW,GetProcAddress,GetProcAddress, 40_2_00007FF7A40EBEA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D51124 SysFreeString,GetProcessHeap,HeapFree, 25_2_00007FF644D51124
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF686902780 SetUnhandledExceptionFilter, 19_2_00007FF686902780
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF686902AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FF686902AB4
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D57330 SetUnhandledExceptionFilter, 25_2_00007FF644D57330
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D575B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF644D575B4
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984CD10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF71984CD10
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984CF30 SetUnhandledExceptionFilter, 28_2_00007FF71984CF30
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C3C98C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF792C3C98C
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C3C710 SetUnhandledExceptionFilter, 33_2_00007FF792C3C710
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Code function: 35_2_00007FF6CB026340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00007FF6CB026340
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Code function: 35_2_00007FF6CB026630 SetUnhandledExceptionFilter, 35_2_00007FF6CB026630
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB2B00 SetUnhandledExceptionFilter, 38_2_00007FF776FB2B00
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FB3140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00007FF776FB3140
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A41F2264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_00007FF7A41F2264

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: DUI70.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1 Jump to behavior
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Code function: 38_2_00007FF776FAAE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle, 38_2_00007FF776FAAE50
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF7198450A4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 28_2_00007FF7198450A4
Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000005.00000000.286145376.0000000005F40000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.265800620.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\xlPP\wermgr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: GetThreadPreferredUILanguages,GetLastError,GetThreadPreferredUILanguages,GetLastError,GetLocaleInfoEx,GetLastError, 28_2_00007FF7198498E8
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: GetThreadPreferredUILanguages,GetLastError,GetThreadPreferredUILanguages,GetLastError,GetLocaleInfoEx,GetLastError, 33_2_00007FF792C32EA8
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF686902910 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 19_2_00007FF686902910
Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe Code function: 40_2_00007FF7A41EF5EC memset,GetVersionExW,GetVersionExW, 40_2_00007FF7A41EF5EC
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D54A50 GetUserNameExW,GetLastError,GetUserNameExW,GetLastError, 25_2_00007FF644D54A50

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF6869021B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree, 19_2_00007FF6869021B8
Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe Code function: 19_2_00007FF6869022F0 RpcBindingFree, 19_2_00007FF6869022F0
Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe Code function: 25_2_00007FF644D56AB4 memset,CreateBindCtx,StringFromCLSID,MkParseDisplayName,CoTaskMemFree, 25_2_00007FF644D56AB4
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984B230 InitProcessPriv,InitThread,RegisterPVLBehaviorFactory,UnInitThread,UnInitProcessPriv,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?SetAccessible@Element@DirectUI@@QEAAJ_N@Z,?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ,?GetClassInfoPtr@HWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ,GetAncestor,SetWindowPos,AccessibleObjectFromWindow,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,new,LoadCursorW,SetCursor,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StartMessagePump,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,UnInitThread,UnInitProcessPriv, 28_2_00007FF71984B230
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984A8A0 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Click@TouchButton@DirectUI@@SA?AVUID@@XZ,StrToID,StrToID,StrToID,?SliderUpdated@TouchSlider@DirectUI@@SA?AVUID@@XZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?IsDescendent@Element@DirectUI@@QEAA_NPEAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?OnEvent@Element@DirectUI@@UEAAXPEAUEvent@2@@Z, 28_2_00007FF71984A8A0
Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe Code function: 28_2_00007FF71984C7B0 ?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,free, 28_2_00007FF71984C7B0
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C35B60 ?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,free, 33_2_00007FF792C35B60
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C34830 InitProcessPriv,InitThread,RegisterPVLBehaviorFactory,UnInitThread,UnInitProcessPriv,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?SetAccessible@Element@DirectUI@@QEAAJ_N@Z,?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ,?GetClassInfoPtr@HWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ,GetAncestor,SetWindowPos,AccessibleObjectFromWindow,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,new,LoadCursorW,SetCursor,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StartMessagePump,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,UnInitThread,UnInitProcessPriv, 33_2_00007FF792C34830
Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe Code function: 33_2_00007FF792C33EA4 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Click@TouchButton@DirectUI@@SA?AVUID@@XZ,StrToID,StrToID,StrToID,?SliderUpdated@TouchSlider@DirectUI@@SA?AVUID@@XZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?IsDescendent@Element@DirectUI@@QEAA_NPEAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?OnEvent@Element@DirectUI@@UEAAXPEAUEvent@2@@Z, 33_2_00007FF792C33EA4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492503 Sample: DC2zX44MQr Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\xlPP\wer.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->37 dropped 39 17 other files (5 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 EaseOfAccessDialog.exe 19->25         started        27 Utilman.exe 19->27         started        29 RdpSa.exe 19->29         started        31 11 other processes 19->31 signatures8 process9
No contacted IP infos