Windows Analysis Report Y7KrNvSxWx

Overview

General Information

Sample Name: Y7KrNvSxWx (renamed file extension from none to dll)
Analysis ID: 492554
MD5: ecdfff8b0ece2175cd699e690de1fcaf
SHA1: 9359770d71e743832ca22597db917dfa817038b2
SHA256: dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Y7KrNvSxWx.dll Virustotal: Detection: 64% Perma Link
Source: Y7KrNvSxWx.dll ReversingLabs: Detection: 77%
Antivirus / Scanner detection for submitted sample
Source: Y7KrNvSxWx.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\mFxP\XmlLite.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\5JXP\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\5JXP\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2oEy\TAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Machine Learning detection for sample
Source: Y7KrNvSxWx.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\mFxP\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5JXP\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5JXP\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2oEy\TAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll Joe Sandbox ML: detected
Source: Y7KrNvSxWx.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: BitLockerWizardElev.pdb source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe.4.dr
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe.4.dr
Source: Binary string: wscript.pdb source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
Source: Binary string: iexpress.pdb source: iexpress.exe.4.dr
Source: Binary string: iexpress.pdbGCTL source: iexpress.exe.4.dr
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
Source: Binary string: SystemPropertiesDataExecutionPrevention.pdb source: SystemPropertiesDataExecutionPrevention.exe.4.dr
Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
Source: Binary string: upfc.pdb source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
Source: Binary string: BitLockerWizardElev.pdbGCTL source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe.4.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
Source: Binary string: SystemPropertiesDataExecutionPrevention.pdbGCTL source: SystemPropertiesDataExecutionPrevention.exe.4.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
Source: Binary string: upfc.pdbGCTL source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
Source: Binary string: FileHistory.pdb source: FileHistory.exe.4.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 36_2_00007FF68AF1D4A0
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299BDF60 PathCchCombine,FindFirstFileW,GetLastError,PathCchCombine,FindNextFileW,FindClose, 40_2_00007FF7299BDF60
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D887818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z, 20_2_00007FF68D887818
Source: SndVol.exe, 00000010.00000002.463303895.000002151D5A0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000000.398986460.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAEFC50 RegisterRawInputDevices, 30_2_00007FF71BAEFC50

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000002.00000002.456385826.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.355433336.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.625281639.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.681547027.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.514246640.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.545893721.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.488077444.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.377190564.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.370198156.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.598954103.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.571934505.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.363238472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.654598508.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007EA0 0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006EB0 0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400276C0 0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FEC0 0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EED0 0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B6E0 0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053F20 0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022730 0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029780 0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018F80 0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003EFB0 0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400067B0 0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400667D0 0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060FE0 0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249BA5C8 17_2_00007FF6249BA5C8
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B6218 17_2_00007FF6249B6218
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249BA1A0 17_2_00007FF6249BA1A0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249C3718 17_2_00007FF6249C3718
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B8310 17_2_00007FF6249B8310
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249C4F10 17_2_00007FF6249C4F10
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249C2BD8 17_2_00007FF6249C2BD8
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249C03A0 17_2_00007FF6249C03A0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B44E8 17_2_00007FF6249B44E8
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249CC4D0 17_2_00007FF6249CC4D0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B3514 17_2_00007FF6249B3514
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249C0CA8 17_2_00007FF6249C0CA8
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B3080 17_2_00007FF6249B3080
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249CB088 17_2_00007FF6249CB088
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D872EF4 20_2_00007FF68D872EF4
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D888850 20_2_00007FF68D888850
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D888E2C 20_2_00007FF68D888E2C
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D87139C 20_2_00007FF68D87139C
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB4BD14 30_2_00007FF71BB4BD14
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6FC59 30_2_00007FF71BB6FC59
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAFDC44 30_2_00007FF71BAFDC44
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6DB6C 30_2_00007FF71BB6DB6C
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB31AD4 30_2_00007FF71BB31AD4
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB57A20 30_2_00007FF71BB57A20
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB37A00 30_2_00007FF71BB37A00
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BACB928 30_2_00007FF71BACB928
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB4F920 30_2_00007FF71BB4F920
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BACA058 30_2_00007FF71BACA058
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6BFEC 30_2_00007FF71BB6BFEC
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB5BF88 30_2_00007FF71BB5BF88
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB35F08 30_2_00007FF71BB35F08
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB2BE58 30_2_00007FF71BB2BE58
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAC3D38 30_2_00007FF71BAC3D38
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB67460 30_2_00007FF71BB67460
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB19484 30_2_00007FF71BB19484
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB2B454 30_2_00007FF71BB2B454
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB5137C 30_2_00007FF71BB5137C
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAF72C8 30_2_00007FF71BAF72C8
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB3B26C 30_2_00007FF71BB3B26C
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAF3260 30_2_00007FF71BAF3260
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB55190 30_2_00007FF71BB55190
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB4B124 30_2_00007FF71BB4B124
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB5B14C 30_2_00007FF71BB5B14C
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6D7A2 30_2_00007FF71BB6D7A2
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB5D788 30_2_00007FF71BB5D788
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB2D6B0 30_2_00007FF71BB2D6B0
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB2CCFC 30_2_00007FF71BB2CCFC
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAFED00 30_2_00007FF71BAFED00
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAE4CDC 30_2_00007FF71BAE4CDC
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB50C44 30_2_00007FF71BB50C44
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB289F4 30_2_00007FF71BB289F4
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB5A998 30_2_00007FF71BB5A998
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB16948 30_2_00007FF71BB16948
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Code function: 33_2_00007FF6E3311A38 33_2_00007FF6E3311A38
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF21C9C 36_2_00007FF68AF21C9C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF214A0 36_2_00007FF68AF214A0
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF134D8 36_2_00007FF68AF134D8
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF18348 36_2_00007FF68AF18348
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF21F68 36_2_00007FF68AF21F68
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF2340C 36_2_00007FF68AF2340C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1AE8C 36_2_00007FF68AF1AE8C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF20A94 36_2_00007FF68AF20A94
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF17B1C 36_2_00007FF68AF17B1C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF16954 36_2_00007FF68AF16954
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF191AC 36_2_00007FF68AF191AC
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF221C4 36_2_00007FF68AF221C4
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF15A34 36_2_00007FF68AF15A34
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF21A34 36_2_00007FF68AF21A34
Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Code function: 38_2_00007FF6173E1098 38_2_00007FF6173E1098
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299C0C98 40_2_00007FF7299C0C98
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299B3320 40_2_00007FF7299B3320
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: String function: 00007FF71BB66AD8 appears 152 times
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: String function: 00007FF71BAC32F8 appears 268 times
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: String function: 00007FF71BAC4D68 appears 144 times
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: String function: 00007FF71BAC6894 appears 40 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB36C44 RtlInitUnicodeString,NtQueryLicenseValue, 30_2_00007FF71BB36C44
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 30_2_00007FF71BB6A9CC
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage, 36_2_00007FF68AF1AC78
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A, 36_2_00007FF68AF1AE00
Sample file is different than original file name gathered from version info
Source: Y7KrNvSxWx.dll Binary or memory string: OriginalFilenamekbdyj% vs Y7KrNvSxWx.dll
PE file contains strange resources
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdeunlock.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesDataExecutionPrevention.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesDataExecutionPrevention.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesDataExecutionPrevention.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: SYSDM.CPL0.4.dr Static PE information: Number of sections : 38 > 10
Source: dwmapi.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: DUser.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: TAPI32.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: WTSAPI32.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: Y7KrNvSxWx.dll Static PE information: Number of sections : 37 > 10
Source: XmlLite.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: VERSION.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: FVEWIZ.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: SYSDM.CPL.4.dr Static PE information: Number of sections : 38 > 10
Source: VERSION.dll0.4.dr Static PE information: Number of sections : 38 > 10
Source: dwmapi.dll0.4.dr Static PE information: Number of sections : 38 > 10
Source: UxTheme.dll.4.dr Static PE information: Number of sections : 38 > 10
Source: Y7KrNvSxWx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUser.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FVEWIZ.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Y7KrNvSxWx.dll Virustotal: Detection: 64%
Source: Y7KrNvSxWx.dll ReversingLabs: Detection: 77%
Source: Y7KrNvSxWx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KXZtu\SndVol.exe C:\Users\user\AppData\Local\KXZtu\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NakOm\wscript.exe C:\Users\user\AppData\Local\NakOm\wscript.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\upfc.exe C:\Windows\system32\upfc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mFxP\upfc.exe C:\Users\user\AppData\Local\mFxP\upfc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KXZtu\SndVol.exe C:\Users\user\AppData\Local\KXZtu\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NakOm\wscript.exe C:\Users\user\AppData\Local\NakOm\wscript.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\upfc.exe C:\Windows\system32\upfc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\mFxP\upfc.exe C:\Users\user\AppData\Local\mFxP\upfc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@52/25@0/0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B9E34 CoCreateInstance,CoAllowSetForegroundWindow, 17_2_00007FF6249B9E34
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D8724D8 FormatMessageW,GetLastError, 20_2_00007FF68D8724D8
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299BE0E4 ChangeServiceConfigW,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,GetLastError, 40_2_00007FF7299BE0E4
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Mutant created: \Sessions\1\BaseNamedObjects\{81978d18-9b5e-fd4f-7de1-2627a407a6e2}
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Mutant created: \Sessions\1\BaseNamedObjects\{f1f9b2b4-e115-ac5c-46a5-9b5b6fc59767}
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B8E7C LoadResource,LockResource,SizeofResource, 17_2_00007FF6249B8E7C
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: upfc.exe String found in binary or memory: /launchtype
Source: Y7KrNvSxWx.dll Static PE information: More than 179 > 100 exports found
Source: Y7KrNvSxWx.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: Y7KrNvSxWx.dll Static file information: File size 1249280 > 1048576
Source: Y7KrNvSxWx.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: BitLockerWizardElev.pdb source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe.4.dr
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe.4.dr
Source: Binary string: wscript.pdb source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
Source: Binary string: iexpress.pdb source: iexpress.exe.4.dr
Source: Binary string: iexpress.pdbGCTL source: iexpress.exe.4.dr
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
Source: Binary string: SystemPropertiesDataExecutionPrevention.pdb source: SystemPropertiesDataExecutionPrevention.exe.4.dr
Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
Source: Binary string: upfc.pdb source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
Source: Binary string: BitLockerWizardElev.pdbGCTL source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe.4.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
Source: Binary string: SystemPropertiesDataExecutionPrevention.pdbGCTL source: SystemPropertiesDataExecutionPrevention.exe.4.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
Source: Binary string: upfc.pdbGCTL source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
Source: Binary string: FileHistory.pdb source: FileHistory.exe.4.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
PE file contains sections with non-standard names
Source: Y7KrNvSxWx.dll Static PE information: section name: .qkm
Source: Y7KrNvSxWx.dll Static PE information: section name: .cvjb
Source: Y7KrNvSxWx.dll Static PE information: section name: .tlmkv
Source: Y7KrNvSxWx.dll Static PE information: section name: .wucsxe
Source: Y7KrNvSxWx.dll Static PE information: section name: .wnx
Source: Y7KrNvSxWx.dll Static PE information: section name: .weqy
Source: Y7KrNvSxWx.dll Static PE information: section name: .yby
Source: Y7KrNvSxWx.dll Static PE information: section name: .ormx
Source: Y7KrNvSxWx.dll Static PE information: section name: .dhclu
Source: Y7KrNvSxWx.dll Static PE information: section name: .xmiul
Source: Y7KrNvSxWx.dll Static PE information: section name: .tlwcxe
Source: Y7KrNvSxWx.dll Static PE information: section name: .get
Source: Y7KrNvSxWx.dll Static PE information: section name: .hzrd
Source: Y7KrNvSxWx.dll Static PE information: section name: .gulz
Source: Y7KrNvSxWx.dll Static PE information: section name: .ybavfq
Source: Y7KrNvSxWx.dll Static PE information: section name: .hzccq
Source: Y7KrNvSxWx.dll Static PE information: section name: .kmnqh
Source: Y7KrNvSxWx.dll Static PE information: section name: .sqadf
Source: Y7KrNvSxWx.dll Static PE information: section name: .uans
Source: Y7KrNvSxWx.dll Static PE information: section name: .gelkgq
Source: Y7KrNvSxWx.dll Static PE information: section name: .jbviw
Source: Y7KrNvSxWx.dll Static PE information: section name: .ypg
Source: Y7KrNvSxWx.dll Static PE information: section name: .qqs
Source: Y7KrNvSxWx.dll Static PE information: section name: .dsy
Source: Y7KrNvSxWx.dll Static PE information: section name: .fgy
Source: Y7KrNvSxWx.dll Static PE information: section name: .onfp
Source: Y7KrNvSxWx.dll Static PE information: section name: .clcj
Source: Y7KrNvSxWx.dll Static PE information: section name: .fhc
Source: Y7KrNvSxWx.dll Static PE information: section name: .ghxb
Source: Y7KrNvSxWx.dll Static PE information: section name: .icyh
Source: Y7KrNvSxWx.dll Static PE information: section name: .wguyua
Source: SndVol.exe.4.dr Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr Static PE information: section name: .didat
Source: bdeunlock.exe.4.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.4.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.4.dr Static PE information: section name: .didat
Source: FileHistory.exe.4.dr Static PE information: section name: .nep
Source: dwmapi.dll.4.dr Static PE information: section name: .qkm
Source: dwmapi.dll.4.dr Static PE information: section name: .cvjb
Source: dwmapi.dll.4.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll.4.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll.4.dr Static PE information: section name: .wnx
Source: dwmapi.dll.4.dr Static PE information: section name: .weqy
Source: dwmapi.dll.4.dr Static PE information: section name: .yby
Source: dwmapi.dll.4.dr Static PE information: section name: .ormx
Source: dwmapi.dll.4.dr Static PE information: section name: .dhclu
Source: dwmapi.dll.4.dr Static PE information: section name: .xmiul
Source: dwmapi.dll.4.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll.4.dr Static PE information: section name: .get
Source: dwmapi.dll.4.dr Static PE information: section name: .hzrd
Source: dwmapi.dll.4.dr Static PE information: section name: .gulz
Source: dwmapi.dll.4.dr Static PE information: section name: .ybavfq
Source: dwmapi.dll.4.dr Static PE information: section name: .hzccq
Source: dwmapi.dll.4.dr Static PE information: section name: .kmnqh
Source: dwmapi.dll.4.dr Static PE information: section name: .sqadf
Source: dwmapi.dll.4.dr Static PE information: section name: .uans
Source: dwmapi.dll.4.dr Static PE information: section name: .gelkgq
Source: dwmapi.dll.4.dr Static PE information: section name: .jbviw
Source: dwmapi.dll.4.dr Static PE information: section name: .ypg
Source: dwmapi.dll.4.dr Static PE information: section name: .qqs
Source: dwmapi.dll.4.dr Static PE information: section name: .dsy
Source: dwmapi.dll.4.dr Static PE information: section name: .fgy
Source: dwmapi.dll.4.dr Static PE information: section name: .onfp
Source: dwmapi.dll.4.dr Static PE information: section name: .clcj
Source: dwmapi.dll.4.dr Static PE information: section name: .fhc
Source: dwmapi.dll.4.dr Static PE information: section name: .ghxb
Source: dwmapi.dll.4.dr Static PE information: section name: .icyh
Source: dwmapi.dll.4.dr Static PE information: section name: .wguyua
Source: dwmapi.dll.4.dr Static PE information: section name: .mkadq
Source: DUser.dll.4.dr Static PE information: section name: .qkm
Source: DUser.dll.4.dr Static PE information: section name: .cvjb
Source: DUser.dll.4.dr Static PE information: section name: .tlmkv
Source: DUser.dll.4.dr Static PE information: section name: .wucsxe
Source: DUser.dll.4.dr Static PE information: section name: .wnx
Source: DUser.dll.4.dr Static PE information: section name: .weqy
Source: DUser.dll.4.dr Static PE information: section name: .yby
Source: DUser.dll.4.dr Static PE information: section name: .ormx
Source: DUser.dll.4.dr Static PE information: section name: .dhclu
Source: DUser.dll.4.dr Static PE information: section name: .xmiul
Source: DUser.dll.4.dr Static PE information: section name: .tlwcxe
Source: DUser.dll.4.dr Static PE information: section name: .get
Source: DUser.dll.4.dr Static PE information: section name: .hzrd
Source: DUser.dll.4.dr Static PE information: section name: .gulz
Source: DUser.dll.4.dr Static PE information: section name: .ybavfq
Source: DUser.dll.4.dr Static PE information: section name: .hzccq
Source: DUser.dll.4.dr Static PE information: section name: .kmnqh
Source: DUser.dll.4.dr Static PE information: section name: .sqadf
Source: DUser.dll.4.dr Static PE information: section name: .uans
Source: DUser.dll.4.dr Static PE information: section name: .gelkgq
Source: DUser.dll.4.dr Static PE information: section name: .jbviw
Source: DUser.dll.4.dr Static PE information: section name: .ypg
Source: DUser.dll.4.dr Static PE information: section name: .qqs
Source: DUser.dll.4.dr Static PE information: section name: .dsy
Source: DUser.dll.4.dr Static PE information: section name: .fgy
Source: DUser.dll.4.dr Static PE information: section name: .onfp
Source: DUser.dll.4.dr Static PE information: section name: .clcj
Source: DUser.dll.4.dr Static PE information: section name: .fhc
Source: DUser.dll.4.dr Static PE information: section name: .ghxb
Source: DUser.dll.4.dr Static PE information: section name: .icyh
Source: DUser.dll.4.dr Static PE information: section name: .wguyua
Source: DUser.dll.4.dr Static PE information: section name: .utdog
Source: SYSDM.CPL.4.dr Static PE information: section name: .qkm
Source: SYSDM.CPL.4.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL.4.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL.4.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL.4.dr Static PE information: section name: .wnx
Source: SYSDM.CPL.4.dr Static PE information: section name: .weqy
Source: SYSDM.CPL.4.dr Static PE information: section name: .yby
Source: SYSDM.CPL.4.dr Static PE information: section name: .ormx
Source: SYSDM.CPL.4.dr Static PE information: section name: .dhclu
Source: SYSDM.CPL.4.dr Static PE information: section name: .xmiul
Source: SYSDM.CPL.4.dr Static PE information: section name: .tlwcxe
Source: SYSDM.CPL.4.dr Static PE information: section name: .get
Source: SYSDM.CPL.4.dr Static PE information: section name: .hzrd
Source: SYSDM.CPL.4.dr Static PE information: section name: .gulz
Source: SYSDM.CPL.4.dr Static PE information: section name: .ybavfq
Source: SYSDM.CPL.4.dr Static PE information: section name: .hzccq
Source: SYSDM.CPL.4.dr Static PE information: section name: .kmnqh
Source: SYSDM.CPL.4.dr Static PE information: section name: .sqadf
Source: SYSDM.CPL.4.dr Static PE information: section name: .uans
Source: SYSDM.CPL.4.dr Static PE information: section name: .gelkgq
Source: SYSDM.CPL.4.dr Static PE information: section name: .jbviw
Source: SYSDM.CPL.4.dr Static PE information: section name: .ypg
Source: SYSDM.CPL.4.dr Static PE information: section name: .qqs
Source: SYSDM.CPL.4.dr Static PE information: section name: .dsy
Source: SYSDM.CPL.4.dr Static PE information: section name: .fgy
Source: SYSDM.CPL.4.dr Static PE information: section name: .onfp
Source: SYSDM.CPL.4.dr Static PE information: section name: .clcj
Source: SYSDM.CPL.4.dr Static PE information: section name: .fhc
Source: SYSDM.CPL.4.dr Static PE information: section name: .ghxb
Source: SYSDM.CPL.4.dr Static PE information: section name: .icyh
Source: SYSDM.CPL.4.dr Static PE information: section name: .wguyua
Source: SYSDM.CPL.4.dr Static PE information: section name: .xjg
Source: dwmapi.dll0.4.dr Static PE information: section name: .qkm
Source: dwmapi.dll0.4.dr Static PE information: section name: .cvjb
Source: dwmapi.dll0.4.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll0.4.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll0.4.dr Static PE information: section name: .wnx
Source: dwmapi.dll0.4.dr Static PE information: section name: .weqy
Source: dwmapi.dll0.4.dr Static PE information: section name: .yby
Source: dwmapi.dll0.4.dr Static PE information: section name: .ormx
Source: dwmapi.dll0.4.dr Static PE information: section name: .dhclu
Source: dwmapi.dll0.4.dr Static PE information: section name: .xmiul
Source: dwmapi.dll0.4.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll0.4.dr Static PE information: section name: .get
Source: dwmapi.dll0.4.dr Static PE information: section name: .hzrd
Source: dwmapi.dll0.4.dr Static PE information: section name: .gulz
Source: dwmapi.dll0.4.dr Static PE information: section name: .ybavfq
Source: dwmapi.dll0.4.dr Static PE information: section name: .hzccq
Source: dwmapi.dll0.4.dr Static PE information: section name: .kmnqh
Source: dwmapi.dll0.4.dr Static PE information: section name: .sqadf
Source: dwmapi.dll0.4.dr Static PE information: section name: .uans
Source: dwmapi.dll0.4.dr Static PE information: section name: .gelkgq
Source: dwmapi.dll0.4.dr Static PE information: section name: .jbviw
Source: dwmapi.dll0.4.dr Static PE information: section name: .ypg
Source: dwmapi.dll0.4.dr Static PE information: section name: .qqs
Source: dwmapi.dll0.4.dr Static PE information: section name: .dsy
Source: dwmapi.dll0.4.dr Static PE information: section name: .fgy
Source: dwmapi.dll0.4.dr Static PE information: section name: .onfp
Source: dwmapi.dll0.4.dr Static PE information: section name: .clcj
Source: dwmapi.dll0.4.dr Static PE information: section name: .fhc
Source: dwmapi.dll0.4.dr Static PE information: section name: .ghxb
Source: dwmapi.dll0.4.dr Static PE information: section name: .icyh
Source: dwmapi.dll0.4.dr Static PE information: section name: .wguyua
Source: dwmapi.dll0.4.dr Static PE information: section name: .scnrap
Source: TAPI32.dll.4.dr Static PE information: section name: .qkm
Source: TAPI32.dll.4.dr Static PE information: section name: .cvjb
Source: TAPI32.dll.4.dr Static PE information: section name: .tlmkv
Source: TAPI32.dll.4.dr Static PE information: section name: .wucsxe
Source: TAPI32.dll.4.dr Static PE information: section name: .wnx
Source: TAPI32.dll.4.dr Static PE information: section name: .weqy
Source: TAPI32.dll.4.dr Static PE information: section name: .yby
Source: TAPI32.dll.4.dr Static PE information: section name: .ormx
Source: TAPI32.dll.4.dr Static PE information: section name: .dhclu
Source: TAPI32.dll.4.dr Static PE information: section name: .xmiul
Source: TAPI32.dll.4.dr Static PE information: section name: .tlwcxe
Source: TAPI32.dll.4.dr Static PE information: section name: .get
Source: TAPI32.dll.4.dr Static PE information: section name: .hzrd
Source: TAPI32.dll.4.dr Static PE information: section name: .gulz
Source: TAPI32.dll.4.dr Static PE information: section name: .ybavfq
Source: TAPI32.dll.4.dr Static PE information: section name: .hzccq
Source: TAPI32.dll.4.dr Static PE information: section name: .kmnqh
Source: TAPI32.dll.4.dr Static PE information: section name: .sqadf
Source: TAPI32.dll.4.dr Static PE information: section name: .uans
Source: TAPI32.dll.4.dr Static PE information: section name: .gelkgq
Source: TAPI32.dll.4.dr Static PE information: section name: .jbviw
Source: TAPI32.dll.4.dr Static PE information: section name: .ypg
Source: TAPI32.dll.4.dr Static PE information: section name: .qqs
Source: TAPI32.dll.4.dr Static PE information: section name: .dsy
Source: TAPI32.dll.4.dr Static PE information: section name: .fgy
Source: TAPI32.dll.4.dr Static PE information: section name: .onfp
Source: TAPI32.dll.4.dr Static PE information: section name: .clcj
Source: TAPI32.dll.4.dr Static PE information: section name: .fhc
Source: TAPI32.dll.4.dr Static PE information: section name: .ghxb
Source: TAPI32.dll.4.dr Static PE information: section name: .icyh
Source: TAPI32.dll.4.dr Static PE information: section name: .wguyua
Source: TAPI32.dll.4.dr Static PE information: section name: .lisssh
Source: VERSION.dll.4.dr Static PE information: section name: .qkm
Source: VERSION.dll.4.dr Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr Static PE information: section name: .wnx
Source: VERSION.dll.4.dr Static PE information: section name: .weqy
Source: VERSION.dll.4.dr Static PE information: section name: .yby
Source: VERSION.dll.4.dr Static PE information: section name: .ormx
Source: VERSION.dll.4.dr Static PE information: section name: .dhclu
Source: VERSION.dll.4.dr Static PE information: section name: .xmiul
Source: VERSION.dll.4.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll.4.dr Static PE information: section name: .get
Source: VERSION.dll.4.dr Static PE information: section name: .hzrd
Source: VERSION.dll.4.dr Static PE information: section name: .gulz
Source: VERSION.dll.4.dr Static PE information: section name: .ybavfq
Source: VERSION.dll.4.dr Static PE information: section name: .hzccq
Source: VERSION.dll.4.dr Static PE information: section name: .kmnqh
Source: VERSION.dll.4.dr Static PE information: section name: .sqadf
Source: VERSION.dll.4.dr Static PE information: section name: .uans
Source: VERSION.dll.4.dr Static PE information: section name: .gelkgq
Source: VERSION.dll.4.dr Static PE information: section name: .jbviw
Source: VERSION.dll.4.dr Static PE information: section name: .ypg
Source: VERSION.dll.4.dr Static PE information: section name: .qqs
Source: VERSION.dll.4.dr Static PE information: section name: .dsy
Source: VERSION.dll.4.dr Static PE information: section name: .fgy
Source: VERSION.dll.4.dr Static PE information: section name: .onfp
Source: VERSION.dll.4.dr Static PE information: section name: .clcj
Source: VERSION.dll.4.dr Static PE information: section name: .fhc
Source: VERSION.dll.4.dr Static PE information: section name: .ghxb
Source: VERSION.dll.4.dr Static PE information: section name: .icyh
Source: VERSION.dll.4.dr Static PE information: section name: .wguyua
Source: VERSION.dll.4.dr Static PE information: section name: .pkopjx
Source: FVEWIZ.dll.4.dr Static PE information: section name: .qkm
Source: FVEWIZ.dll.4.dr Static PE information: section name: .cvjb
Source: FVEWIZ.dll.4.dr Static PE information: section name: .tlmkv
Source: FVEWIZ.dll.4.dr Static PE information: section name: .wucsxe
Source: FVEWIZ.dll.4.dr Static PE information: section name: .wnx
Source: FVEWIZ.dll.4.dr Static PE information: section name: .weqy
Source: FVEWIZ.dll.4.dr Static PE information: section name: .yby
Source: FVEWIZ.dll.4.dr Static PE information: section name: .ormx
Source: FVEWIZ.dll.4.dr Static PE information: section name: .dhclu
Source: FVEWIZ.dll.4.dr Static PE information: section name: .xmiul
Source: FVEWIZ.dll.4.dr Static PE information: section name: .tlwcxe
Source: FVEWIZ.dll.4.dr Static PE information: section name: .get
Source: FVEWIZ.dll.4.dr Static PE information: section name: .hzrd
Source: FVEWIZ.dll.4.dr Static PE information: section name: .gulz
Source: FVEWIZ.dll.4.dr Static PE information: section name: .ybavfq
Source: FVEWIZ.dll.4.dr Static PE information: section name: .hzccq
Source: FVEWIZ.dll.4.dr Static PE information: section name: .kmnqh
Source: FVEWIZ.dll.4.dr Static PE information: section name: .sqadf
Source: FVEWIZ.dll.4.dr Static PE information: section name: .uans
Source: FVEWIZ.dll.4.dr Static PE information: section name: .gelkgq
Source: FVEWIZ.dll.4.dr Static PE information: section name: .jbviw
Source: FVEWIZ.dll.4.dr Static PE information: section name: .ypg
Source: FVEWIZ.dll.4.dr Static PE information: section name: .qqs
Source: FVEWIZ.dll.4.dr Static PE information: section name: .dsy
Source: FVEWIZ.dll.4.dr Static PE information: section name: .fgy
Source: FVEWIZ.dll.4.dr Static PE information: section name: .onfp
Source: FVEWIZ.dll.4.dr Static PE information: section name: .clcj
Source: FVEWIZ.dll.4.dr Static PE information: section name: .fhc
Source: FVEWIZ.dll.4.dr Static PE information: section name: .ghxb
Source: FVEWIZ.dll.4.dr Static PE information: section name: .icyh
Source: FVEWIZ.dll.4.dr Static PE information: section name: .wguyua
Source: FVEWIZ.dll.4.dr Static PE information: section name: .yza
Source: XmlLite.dll.4.dr Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr Static PE information: section name: .wnx
Source: XmlLite.dll.4.dr Static PE information: section name: .weqy
Source: XmlLite.dll.4.dr Static PE information: section name: .yby
Source: XmlLite.dll.4.dr Static PE information: section name: .ormx
Source: XmlLite.dll.4.dr Static PE information: section name: .dhclu
Source: XmlLite.dll.4.dr Static PE information: section name: .xmiul
Source: XmlLite.dll.4.dr Static PE information: section name: .tlwcxe
Source: XmlLite.dll.4.dr Static PE information: section name: .get
Source: XmlLite.dll.4.dr Static PE information: section name: .hzrd
Source: XmlLite.dll.4.dr Static PE information: section name: .gulz
Source: XmlLite.dll.4.dr Static PE information: section name: .ybavfq
Source: XmlLite.dll.4.dr Static PE information: section name: .hzccq
Source: XmlLite.dll.4.dr Static PE information: section name: .kmnqh
Source: XmlLite.dll.4.dr Static PE information: section name: .sqadf
Source: XmlLite.dll.4.dr Static PE information: section name: .uans
Source: XmlLite.dll.4.dr Static PE information: section name: .gelkgq
Source: XmlLite.dll.4.dr Static PE information: section name: .jbviw
Source: XmlLite.dll.4.dr Static PE information: section name: .ypg
Source: XmlLite.dll.4.dr Static PE information: section name: .qqs
Source: XmlLite.dll.4.dr Static PE information: section name: .dsy
Source: XmlLite.dll.4.dr Static PE information: section name: .fgy
Source: XmlLite.dll.4.dr Static PE information: section name: .onfp
Source: XmlLite.dll.4.dr Static PE information: section name: .clcj
Source: XmlLite.dll.4.dr Static PE information: section name: .fhc
Source: XmlLite.dll.4.dr Static PE information: section name: .ghxb
Source: XmlLite.dll.4.dr Static PE information: section name: .icyh
Source: XmlLite.dll.4.dr Static PE information: section name: .wguyua
Source: XmlLite.dll.4.dr Static PE information: section name: .oxh
Source: SYSDM.CPL0.4.dr Static PE information: section name: .qkm
Source: SYSDM.CPL0.4.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL0.4.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL0.4.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL0.4.dr Static PE information: section name: .wnx
Source: SYSDM.CPL0.4.dr Static PE information: section name: .weqy
Source: SYSDM.CPL0.4.dr Static PE information: section name: .yby
Source: SYSDM.CPL0.4.dr Static PE information: section name: .ormx
Source: SYSDM.CPL0.4.dr Static PE information: section name: .dhclu
Source: SYSDM.CPL0.4.dr Static PE information: section name: .xmiul
Source: SYSDM.CPL0.4.dr Static PE information: section name: .tlwcxe
Source: SYSDM.CPL0.4.dr Static PE information: section name: .get
Source: SYSDM.CPL0.4.dr Static PE information: section name: .hzrd
Source: SYSDM.CPL0.4.dr Static PE information: section name: .gulz
Source: SYSDM.CPL0.4.dr Static PE information: section name: .ybavfq
Source: SYSDM.CPL0.4.dr Static PE information: section name: .hzccq
Source: SYSDM.CPL0.4.dr Static PE information: section name: .kmnqh
Source: SYSDM.CPL0.4.dr Static PE information: section name: .sqadf
Source: SYSDM.CPL0.4.dr Static PE information: section name: .uans
Source: SYSDM.CPL0.4.dr Static PE information: section name: .gelkgq
Source: SYSDM.CPL0.4.dr Static PE information: section name: .jbviw
Source: SYSDM.CPL0.4.dr Static PE information: section name: .ypg
Source: SYSDM.CPL0.4.dr Static PE information: section name: .qqs
Source: SYSDM.CPL0.4.dr Static PE information: section name: .dsy
Source: SYSDM.CPL0.4.dr Static PE information: section name: .fgy
Source: SYSDM.CPL0.4.dr Static PE information: section name: .onfp
Source: SYSDM.CPL0.4.dr Static PE information: section name: .clcj
Source: SYSDM.CPL0.4.dr Static PE information: section name: .fhc
Source: SYSDM.CPL0.4.dr Static PE information: section name: .ghxb
Source: SYSDM.CPL0.4.dr Static PE information: section name: .icyh
Source: SYSDM.CPL0.4.dr Static PE information: section name: .wguyua
Source: SYSDM.CPL0.4.dr Static PE information: section name: .dcq
Source: VERSION.dll0.4.dr Static PE information: section name: .qkm
Source: VERSION.dll0.4.dr Static PE information: section name: .cvjb
Source: VERSION.dll0.4.dr Static PE information: section name: .tlmkv
Source: VERSION.dll0.4.dr Static PE information: section name: .wucsxe
Source: VERSION.dll0.4.dr Static PE information: section name: .wnx
Source: VERSION.dll0.4.dr Static PE information: section name: .weqy
Source: VERSION.dll0.4.dr Static PE information: section name: .yby
Source: VERSION.dll0.4.dr Static PE information: section name: .ormx
Source: VERSION.dll0.4.dr Static PE information: section name: .dhclu
Source: VERSION.dll0.4.dr Static PE information: section name: .xmiul
Source: VERSION.dll0.4.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll0.4.dr Static PE information: section name: .get
Source: VERSION.dll0.4.dr Static PE information: section name: .hzrd
Source: VERSION.dll0.4.dr Static PE information: section name: .gulz
Source: VERSION.dll0.4.dr Static PE information: section name: .ybavfq
Source: VERSION.dll0.4.dr Static PE information: section name: .hzccq
Source: VERSION.dll0.4.dr Static PE information: section name: .kmnqh
Source: VERSION.dll0.4.dr Static PE information: section name: .sqadf
Source: VERSION.dll0.4.dr Static PE information: section name: .uans
Source: VERSION.dll0.4.dr Static PE information: section name: .gelkgq
Source: VERSION.dll0.4.dr Static PE information: section name: .jbviw
Source: VERSION.dll0.4.dr Static PE information: section name: .ypg
Source: VERSION.dll0.4.dr Static PE information: section name: .qqs
Source: VERSION.dll0.4.dr Static PE information: section name: .dsy
Source: VERSION.dll0.4.dr Static PE information: section name: .fgy
Source: VERSION.dll0.4.dr Static PE information: section name: .onfp
Source: VERSION.dll0.4.dr Static PE information: section name: .clcj
Source: VERSION.dll0.4.dr Static PE information: section name: .fhc
Source: VERSION.dll0.4.dr Static PE information: section name: .ghxb
Source: VERSION.dll0.4.dr Static PE information: section name: .icyh
Source: VERSION.dll0.4.dr Static PE information: section name: .wguyua
Source: VERSION.dll0.4.dr Static PE information: section name: .sgswxz
Source: UxTheme.dll.4.dr Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr Static PE information: section name: .wnx
Source: UxTheme.dll.4.dr Static PE information: section name: .weqy
Source: UxTheme.dll.4.dr Static PE information: section name: .yby
Source: UxTheme.dll.4.dr Static PE information: section name: .ormx
Source: UxTheme.dll.4.dr Static PE information: section name: .dhclu
Source: UxTheme.dll.4.dr Static PE information: section name: .xmiul
Source: UxTheme.dll.4.dr Static PE information: section name: .tlwcxe
Source: UxTheme.dll.4.dr Static PE information: section name: .get
Source: UxTheme.dll.4.dr Static PE information: section name: .hzrd
Source: UxTheme.dll.4.dr Static PE information: section name: .gulz
Source: UxTheme.dll.4.dr Static PE information: section name: .ybavfq
Source: UxTheme.dll.4.dr Static PE information: section name: .hzccq
Source: UxTheme.dll.4.dr Static PE information: section name: .kmnqh
Source: UxTheme.dll.4.dr Static PE information: section name: .sqadf
Source: UxTheme.dll.4.dr Static PE information: section name: .uans
Source: UxTheme.dll.4.dr Static PE information: section name: .gelkgq
Source: UxTheme.dll.4.dr Static PE information: section name: .jbviw
Source: UxTheme.dll.4.dr Static PE information: section name: .ypg
Source: UxTheme.dll.4.dr Static PE information: section name: .qqs
Source: UxTheme.dll.4.dr Static PE information: section name: .dsy
Source: UxTheme.dll.4.dr Static PE information: section name: .fgy
Source: UxTheme.dll.4.dr Static PE information: section name: .onfp
Source: UxTheme.dll.4.dr Static PE information: section name: .clcj
Source: UxTheme.dll.4.dr Static PE information: section name: .fhc
Source: UxTheme.dll.4.dr Static PE information: section name: .ghxb
Source: UxTheme.dll.4.dr Static PE information: section name: .icyh
Source: UxTheme.dll.4.dr Static PE information: section name: .wguyua
Source: UxTheme.dll.4.dr Static PE information: section name: .fygqp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll.4.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wnx
Source: WTSAPI32.dll.4.dr Static PE information: section name: .weqy
Source: WTSAPI32.dll.4.dr Static PE information: section name: .yby
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ormx
Source: WTSAPI32.dll.4.dr Static PE information: section name: .dhclu
Source: WTSAPI32.dll.4.dr Static PE information: section name: .xmiul
Source: WTSAPI32.dll.4.dr Static PE information: section name: .tlwcxe
Source: WTSAPI32.dll.4.dr Static PE information: section name: .get
Source: WTSAPI32.dll.4.dr Static PE information: section name: .hzrd
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gulz
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ybavfq
Source: WTSAPI32.dll.4.dr Static PE information: section name: .hzccq
Source: WTSAPI32.dll.4.dr Static PE information: section name: .kmnqh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .sqadf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .uans
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gelkgq
Source: WTSAPI32.dll.4.dr Static PE information: section name: .jbviw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ypg
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qqs
Source: WTSAPI32.dll.4.dr Static PE information: section name: .dsy
Source: WTSAPI32.dll.4.dr Static PE information: section name: .fgy
Source: WTSAPI32.dll.4.dr Static PE information: section name: .onfp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .clcj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .fhc
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ghxb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .icyh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wguyua
Source: WTSAPI32.dll.4.dr Static PE information: section name: .nouixc
PE file contains an invalid checksum
Source: SYSDM.CPL0.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x141d35
Source: dwmapi.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13a77a
Source: DUser.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x136f03
Source: TAPI32.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x133731
Source: WTSAPI32.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x132066
Source: Y7KrNvSxWx.dll Static PE information: real checksum: 0x7d786c40 should be: 0x13f997
Source: XmlLite.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13bfd3
Source: VERSION.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13b3b1
Source: FVEWIZ.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x132d2f
Source: SYSDM.CPL.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13fe78
Source: VERSION.dll0.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x135d2b
Source: dwmapi.dll0.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13ac7d
Source: UxTheme.dll.4.dr Static PE information: real checksum: 0x7d786c40 should be: 0x13a732
Binary contains a suspicious time stamp
Source: SndVol.exe.4.dr Static PE information: 0x6E534A77 [Sun Aug 27 01:25:11 2028 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\UjbH0ZEv\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\cZk0IMu\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\5JXP\iexpress.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KAG\SystemPropertiesDataExecutionPrevention.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mFxP\upfc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KAG\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\UjbH0ZEv\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NakOm\wscript.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KXZtu\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NakOm\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mFxP\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\5JXP\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\IcLt\BdeUISrv.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2oEy\TAPI32.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D872EF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,GetLastError,memset,memset,FreeLibrary,memset,memcpy,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap 20_2_00007FF68D872EF4
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4328 Thread sleep count: 41 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\5JXP\iexpress.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\IcLt\BdeUISrv.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D872EF4 rdtsc 20_2_00007FF68D872EF4
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 36_2_00007FF68AF1D4A0
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299BDF60 PathCchCombine,FindFirstFileW,GetLastError,PathCchCombine,FindNextFileW,FindClose, 40_2_00007FF7299BDF60
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D887818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z, 20_2_00007FF68D887818
Source: explorer.exe, 00000004.00000000.393207647.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.367584067.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.360548148.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.393207647.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.360548148.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.366974154.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.366974154.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.367584067.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000000.398986460.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B21D0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 17_2_00007FF6249B21D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249B29E8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 17_2_00007FF6249B29E8
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D872EF4 rdtsc 20_2_00007FF68D872EF4
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BAFED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput, 30_2_00007FF71BAFED00
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249CF2E0 SetUnhandledExceptionFilter, 17_2_00007FF6249CF2E0
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249CEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00007FF6249CEE40
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D894AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF68D894AD8
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D894E40 SetUnhandledExceptionFilter, 20_2_00007FF68D894E40
Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Code function: 25_2_00007FF6A7B91460 SetUnhandledExceptionFilter, 25_2_00007FF6A7B91460
Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Code function: 25_2_00007FF6A7B916E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF6A7B916E4
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6BF20 SetUnhandledExceptionFilter, 30_2_00007FF71BB6BF20
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_00007FF71BB6BD44
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB6B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF71BB6B284
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Code function: 33_2_00007FF6E3312330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF6E3312330
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Code function: 33_2_00007FF6E3312530 SetUnhandledExceptionFilter, 33_2_00007FF6E3312530
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF23CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF68AF23CC8
Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Code function: 38_2_00007FF6173E1880 SetUnhandledExceptionFilter, 38_2_00007FF6173E1880
Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Code function: 38_2_00007FF6173E1B04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00007FF6173E1B04
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299C0AE4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_00007FF7299C0AE4
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299C0868 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_00007FF7299C0868
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Code function: 40_2_00007FF7299C0A08 SetUnhandledExceptionFilter, 40_2_00007FF7299C0A08

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: dwmapi.dll.4.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88ECEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88ECE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFD88912A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249BA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 17_2_00007FF6249BA5C8
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249BA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 17_2_00007FF6249BA5C8
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: 30_2_00007FF71BB68CAC mouse_event,SetForegroundWindow, 30_2_00007FF71BB68CAC
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Code function: 33_2_00007FF6E3311618 HeapSetInformation,GetModuleHandleW,LoadStringW,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetCommandLineW, 33_2_00007FF6E3311618
Source: explorer.exe, 00000004.00000000.359377011.0000000004F80000.00000004.00000001.sdmp, SndVol.exe Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.356684211.00000000008B8000.00000004.00000020.sdmp Binary or memory string: Progman
Source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.415865293.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000000.415865293.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\mFxP\upfc.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free, 17_2_00007FF6249C9EF4
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z, 20_2_00007FF68D893B98
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx, 30_2_00007FF71BAD6068
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize, 30_2_00007FF71BAF72C8
Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 30_2_00007FF71BB50A3C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary, 36_2_00007FF68AF2340C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA, 36_2_00007FF68AF20EC4
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exe Code function: 17_2_00007FF6249CF470 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 17_2_00007FF6249CF470
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF14428 SysAllocString,GetVersionExA,IsTextUnicode,MultiByteToWideChar,GetLastError,SysAllocStringLen,MultiByteToWideChar,GetLastError,_swab,memcpy,SysFreeString, 36_2_00007FF68AF14428
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF16CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey, 36_2_00007FF68AF16CEC

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe Code function: 20_2_00007FF68D87193C GetCurrentProcessId,AllowSetForegroundWindow,CoCreateInstance,CoCreateInstance,GetSystemMetrics,RegGetValueW,GetSystemMetrics,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,SetForegroundWindow,LocalFree,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 20_2_00007FF68D87193C
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF1C370 CreateBindCtx,MkParseDisplayName, 36_2_00007FF68AF1C370
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF14FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString, 36_2_00007FF68AF14FE0
Source: C:\Users\user\AppData\Local\NakOm\wscript.exe Code function: 36_2_00007FF68AF191AC GetUserDefaultLCID,CreateBindCtx, 36_2_00007FF68AF191AC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492554 Sample: Y7KrNvSxWx Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\DUser.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\XmlLite.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\FVEWIZ.dll, PE32+ 19->38 dropped 40 21 other files (7 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 25 SndVol.exe 19->25         started        28 SystemPropertiesPerformance.exe 19->28         started        30 GamePanel.exe 19->30         started        32 14 other processes 19->32 signatures8 process9 signatures10 52 Contains functionality to automate explorer (e.g. start an application) 25->52
No contacted IP infos