Windows Analysis Report 2qTIaOLW2o

Overview

General Information

Sample Name: 2qTIaOLW2o (renamed file extension from none to dll)
Analysis ID: 492663
MD5: 8ad564b939e5a713e39154c7e566adc6
SHA1: 8cd069a890ab232fca75a17e324de60c426f3115
SHA256: 1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Contains functionality to hide windows to a different desktop
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 2qTIaOLW2o.dll Virustotal: Detection: 67% Perma Link
Source: 2qTIaOLW2o.dll ReversingLabs: Detection: 75%
Antivirus / Scanner detection for submitted sample
Source: 2qTIaOLW2o.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\ScS40sYu\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\cAlXLQGkN\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\CsJaRZ\HID.DLL Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\ScS40sYu\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\N52IORg\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\52smNq1W\SLC.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\hbyq\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\ScS40sYu\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cAlXLQGkN\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CsJaRZ\HID.DLL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ScS40sYu\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\N52IORg\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\52smNq1W\SLC.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\hbyq\SYSDM.CPL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B2E8C BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,CoTaskMemFree, 28_2_00007FF6A56B2E8C
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56BCE10 memset,memcpy,BCryptEncrypt,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 28_2_00007FF6A56BCE10
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B2A04 BCryptDecrypt,memset,BCryptDecrypt,memcpy,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 28_2_00007FF6A56B2A04
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B2CA0 BCryptOpenAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 28_2_00007FF6A56B2CA0
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56BCC10 BCryptGenRandom,memcpy,BCryptEncrypt,memcpy,BCryptEncrypt, 28_2_00007FF6A56BCC10
Source: 2qTIaOLW2o.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000002.353824217.00007FF6153F2000.00000002.00020000.sdmp, SndVol.exe.5.dr
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 0000001C.00000002.418174938.00007FF6A56C2000.00000002.00020000.sdmp, ProximityUxHost.exe.5.dr
Source: Binary string: msinfo32.pdb source: msinfo32.exe, 00000021.00000002.443527978.00007FF7B2471000.00000002.00020000.sdmp, msinfo32.exe.5.dr
Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000023.00000002.480133148.00007FF6882C4000.00000002.00020000.sdmp, dpapimig.exe, 00000026.00000002.512743904.00007FF675104000.00000002.00020000.sdmp, dpapimig.exe0.5.dr
Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000028.00000000.515128617.00007FF605252000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source: Binary string: tabcal.pdbGCTL source: tabcal.exe, 00000018.00000000.356402567.00007FF6FB15A000.00000002.00020000.sdmp, tabcal.exe.5.dr
Source: Binary string: rdpinit.pdb source: rdpinit.exe.5.dr
Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000028.00000000.515128617.00007FF605252000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe.5.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe.5.dr
Source: Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe.5.dr
Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000023.00000002.480133148.00007FF6882C4000.00000002.00020000.sdmp, dpapimig.exe, 00000026.00000002.512743904.00007FF675104000.00000002.00020000.sdmp, dpapimig.exe0.5.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe.5.dr
Source: Binary string: tabcal.pdb source: tabcal.exe, 00000018.00000000.356402567.00007FF6FB15A000.00000002.00020000.sdmp, tabcal.exe.5.dr
Source: Binary string: msinfo32.pdbGCTL source: msinfo32.exe, 00000021.00000002.443527978.00007FF7B2471000.00000002.00020000.sdmp, msinfo32.exe.5.dr
Source: Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe.5.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000002.353824217.00007FF6153F2000.00000002.00020000.sdmp, SndVol.exe.5.dr
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 0000001C.00000002.418174938.00007FF6A56C2000.00000002.00020000.sdmp, ProximityUxHost.exe.5.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2466334 #620,#624,#6050,#1040,#1040,#4436,#1122,#1040,#624,#1259,#1040,#626,FindFirstFileW,#624,#1259,#1262,#1122,#1040,#1040,#1040,_wcsicmp,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,#624,#1259,#1040,FindFirstFileW,#622,#624,#624,#1259,#1259,#1040,#1040,#1040,#1040,#1040,FindNextFileW,FindClose,RemoveDirectoryW,#1040,#1040,#1040,#1040, 33_2_00007FF7B2466334
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24672AC #624,FindFirstFileW,FindClose,#6050,_wcsicmp,#1040,#1463,_wcsicmp,#624,CreateFileW,GetFileSize,ReadFile,CloseHandle,#1040,CreateFileW,#6886,CloseHandle,#6886,_wcsicmp,#626,#624,#1040,#624,#1122,SetupIterateCabinetW,#1040,#626,#626,RegOpenKeyExW,RegGetValueW,#1126,RegCloseKey,#1040,#1040,#1040,RegOpenKeyExW,#624,#2975,RegSetValueExW,#1122,RegCloseKey,#1040,RegCloseKey,#620,#620,#628,#1042,#1040,#1040,#622,#1259,#1122,#1040,#1040,#1284,#2783,#1040,#1040,#1040,#1042,#1040,#1040,#1040,#1040,#1040,#1040,GetLastError,#626,#626,#4473,#4473,#1287,#1287,MessageBoxW,#1040,#1040,#1040, 33_2_00007FF7B24672AC
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2465DE8 #626,#626,#1122,#624,#6050,#1040,#1040,#624,#1284,#1040,#1259,#1122,#1040,FindFirstFileW,#624,#1259,#1358,#1040,#1040,FindNextFileW,FindClose,#624,#1259,#1122,#1040,#1040,FindFirstFileW,#624,#1259,#1040,#1040,FindNextFileW,FindClose,#1040,#1040, 33_2_00007FF7B2465DE8
Source: SndVol.exe, 00000015.00000002.327014978.00000242A3690000.00000002.00020000.sdmp String found in binary or memory: http://schemas.micro
Source: GamePanel.exe.5.dr String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe.5.dr String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe.5.dr String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe.5.dr String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe.5.dr String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe.5.dr String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe.5.dr String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe.5.dr String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe.5.dr String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2467D98 LoadCursorW,SetCursor,SetCursor,IsDlgButtonChecked,IsDlgButtonChecked,CheckDlgButton,GetDlgItem,GetWindowTextW,#1126,SendMessageW,PostMessageW,SendMessageW,SendMessageW,LoadIconW,LoadStringW,ShellAboutW,DestroyIcon,GetFocus,IsWindowEnabled,IsWindowEnabled,GetFocus,IsWindowVisible,IsWindowEnabled,OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,#624,#2781,#5979,SendMessageW,GlobalUnlock,#1040,CloseClipboard,SendMessageW, 33_2_00007FF7B2467D98
Installs a raw input device (often for capturing keystrokes)
Source: GamePanel.exe.5.dr Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246A9C4 GetFocus,IsWindowVisible,IsWindowEnabled,SendMessageW,#626,#1126,SendMessageW,SendMessageW,#1287,#1284,#1287,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,#1040, 33_2_00007FF7B246A9C4

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000002.00000002.322869708.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.412511294.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.441901323.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253887228.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.245204685.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.511156934.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.261001867.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.266558177.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.352259211.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.478548185.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.379949090.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.536952423.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Protection of GUI:

barindex
Contains functionality to hide windows to a different desktop
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB151F10 ImmDisableTextFrameService,_wcslwr,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,SetThreadDesktop,SwitchDesktop,CloseDesktop,memset,LoadIconW,LoadCursorW,RegisterClassExW,CreateWindowExW,ShowWindow,PostMessageW,TranslateMessage,DispatchMessageW,GetMessageW,UnregisterClassW,DestroyInteractionContext,free,free,SwitchDesktop,CloseDesktop, 24_2_00007FF6FB151F10
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB151F10 ImmDisableTextFrameService,_wcslwr,GetCurrentThreadId,GetThreadDesktop,CreateDesktopW,SetThreadDesktop,SwitchDesktop,CloseDesktop,memset,LoadIconW,LoadCursorW,RegisterClassExW,CreateWindowExW,ShowWindow,PostMessageW,TranslateMessage,DispatchMessageW,GetMessageW,UnregisterClassW,DestroyInteractionContext,free,free,SwitchDesktop,CloseDesktop, 24_2_00007FF6FB151F10

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007EA0 0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006EB0 0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400276C0 0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FEC0 0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EED0 0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B6E0 0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053F20 0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022730 0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029780 0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018F80 0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003EFB0 0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400067B0 0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400667D0 0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060FE0 0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D8310 22_2_00007FF6153D8310
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E4F10 22_2_00007FF6153E4F10
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E3718 22_2_00007FF6153E3718
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153DA1A0 22_2_00007FF6153DA1A0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D6218 22_2_00007FF6153D6218
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153DA5C8 22_2_00007FF6153DA5C8
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D3080 22_2_00007FF6153D3080
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153EB088 22_2_00007FF6153EB088
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E0CA8 22_2_00007FF6153E0CA8
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D3514 22_2_00007FF6153D3514
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153EC4D0 22_2_00007FF6153EC4D0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D44E8 22_2_00007FF6153D44E8
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E03A0 22_2_00007FF6153E03A0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E2BD8 22_2_00007FF6153E2BD8
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB1533E0 24_2_00007FF6FB1533E0
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB1517E0 24_2_00007FF6FB1517E0
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB1515D0 24_2_00007FF6FB1515D0
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB155A18 24_2_00007FF6FB155A18
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB1525FC 24_2_00007FF6FB1525FC
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB154F00 24_2_00007FF6FB154F00
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB151F10 24_2_00007FF6FB151F10
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56BD6B0 28_2_00007FF6A56BD6B0
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A9A7C 28_2_00007FF6A56A9A7C
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56BB260 28_2_00007FF6A56BB260
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A5695B08 28_2_00007FF6A5695B08
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A92C0 28_2_00007FF6A56A92C0
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B4960 28_2_00007FF6A56B4960
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A4158 28_2_00007FF6A56A4158
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A569913C 28_2_00007FF6A569913C
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A45BC 28_2_00007FF6A56A45BC
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A569F0B4 28_2_00007FF6A569F0B4
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A569B868 28_2_00007FF6A569B868
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B9530 28_2_00007FF6A56B9530
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56BA8E0 28_2_00007FF6A56BA8E0
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56AECB8 28_2_00007FF6A56AECB8
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56ACF68 28_2_00007FF6A56ACF68
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B9F38 28_2_00007FF6A56B9F38
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A1018 28_2_00007FF6A56A1018
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56A8408 28_2_00007FF6A56A8408
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B7400 28_2_00007FF6A56B7400
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56B0800 28_2_00007FF6A56B0800
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2459370 33_2_00007FF7B2459370
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246BD00 33_2_00007FF7B246BD00
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246B184 33_2_00007FF7B246B184
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2462210 33_2_00007FF7B2462210
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B245C314 33_2_00007FF7B245C314
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24672AC 33_2_00007FF7B24672AC
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246B7AC 33_2_00007FF7B246B7AC
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2460F98 33_2_00007FF7B2460F98
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24608D8 33_2_00007FF7B24608D8
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B245B0E0 33_2_00007FF7B245B0E0
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2467D98 33_2_00007FF7B2467D98
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246A670 33_2_00007FF7B246A670
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2459E90 33_2_00007FF7B2459E90
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24666F8 33_2_00007FF7B24666F8
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2468F04 33_2_00007FF7B2468F04
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Code function: 35_2_00007FF6882C1F08 35_2_00007FF6882C1F08
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Code function: 38_2_00007FF675101F08 38_2_00007FF675101F08
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: String function: 00007FF7B24589B8 appears 46 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,RtlAllocateHeap, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24607E8 #626,#626,#4473,#4473,NtQuerySystemInformation,#4473,#1040,#1040, 33_2_00007FF7B24607E8
Sample file is different than original file name gathered from version info
Source: 2qTIaOLW2o.dll Binary or memory string: OriginalFilenamekbdyj% vs 2qTIaOLW2o.dll
PE file contains strange resources
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msinfo32.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
PE file contains more sections than normal
Source: DUI70.dll0.5.dr Static PE information: Number of sections : 35 > 10
Source: DUI70.dll.5.dr Static PE information: Number of sections : 35 > 10
Source: WTSAPI32.dll.5.dr Static PE information: Number of sections : 35 > 10
Source: HID.DLL.5.dr Static PE information: Number of sections : 35 > 10
Source: DUI70.dll1.5.dr Static PE information: Number of sections : 35 > 10
Source: SYSDM.CPL.5.dr Static PE information: Number of sections : 35 > 10
Source: SLC.dll.5.dr Static PE information: Number of sections : 35 > 10
Source: UxTheme.dll.5.dr Static PE information: Number of sections : 35 > 10
Source: dwmapi.dll0.5.dr Static PE information: Number of sections : 35 > 10
Source: 2qTIaOLW2o.dll Static PE information: Number of sections : 34 > 10
Source: dwmapi.dll.5.dr Static PE information: Number of sections : 35 > 10
Source: 2qTIaOLW2o.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HID.DLL.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SLC.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 2qTIaOLW2o.dll Virustotal: Detection: 67%
Source: 2qTIaOLW2o.dll ReversingLabs: Detection: 75%
Source: 2qTIaOLW2o.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tabcal.exe C:\Windows\system32\tabcal.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msinfo32.exe C:\Windows\system32\msinfo32.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe C:\Users\user\AppData\Local\famGrLP\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2qTIaOLW2o.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tabcal.exe C:\Windows\system32\tabcal.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msinfo32.exe C:\Windows\system32\msinfo32.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@45/21@0/0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153E1D64 CoCreateInstance,ImageList_Create,GetSysColor,ImageList_SetBkColor, 22_2_00007FF6153E1D64
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A569D49C FormatMessageW,GetLastError, 28_2_00007FF6A569D49C
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Mutant created: \Sessions\1\BaseNamedObjects\{1393df40-fb89-1875-a7b8-1174748e042d}
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Mutant created: \Sessions\1\BaseNamedObjects\{03473c0b-b89b-1ce4-9ab2-634393a4b7a9}
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D8E7C LoadResource,LockResource,SizeofResource, 22_2_00007FF6153D8E7C
Source: 2qTIaOLW2o.dll Static PE information: More than 4319 > 100 exports found
Source: 2qTIaOLW2o.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: 2qTIaOLW2o.dll Static file information: File size 1503232 > 1048576
Source: 2qTIaOLW2o.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000002.353824217.00007FF6153F2000.00000002.00020000.sdmp, SndVol.exe.5.dr
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 0000001C.00000002.418174938.00007FF6A56C2000.00000002.00020000.sdmp, ProximityUxHost.exe.5.dr
Source: Binary string: msinfo32.pdb source: msinfo32.exe, 00000021.00000002.443527978.00007FF7B2471000.00000002.00020000.sdmp, msinfo32.exe.5.dr
Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000023.00000002.480133148.00007FF6882C4000.00000002.00020000.sdmp, dpapimig.exe, 00000026.00000002.512743904.00007FF675104000.00000002.00020000.sdmp, dpapimig.exe0.5.dr
Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000028.00000000.515128617.00007FF605252000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source: Binary string: tabcal.pdbGCTL source: tabcal.exe, 00000018.00000000.356402567.00007FF6FB15A000.00000002.00020000.sdmp, tabcal.exe.5.dr
Source: Binary string: rdpinit.pdb source: rdpinit.exe.5.dr
Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000028.00000000.515128617.00007FF605252000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe.5.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe.5.dr
Source: Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe.5.dr
Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000023.00000002.480133148.00007FF6882C4000.00000002.00020000.sdmp, dpapimig.exe, 00000026.00000002.512743904.00007FF675104000.00000002.00020000.sdmp, dpapimig.exe0.5.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe.5.dr
Source: Binary string: tabcal.pdb source: tabcal.exe, 00000018.00000000.356402567.00007FF6FB15A000.00000002.00020000.sdmp, tabcal.exe.5.dr
Source: Binary string: msinfo32.pdbGCTL source: msinfo32.exe, 00000021.00000002.443527978.00007FF7B2471000.00000002.00020000.sdmp, msinfo32.exe.5.dr
Source: Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe.5.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000002.353824217.00007FF6153F2000.00000002.00020000.sdmp, SndVol.exe.5.dr
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 0000001C.00000002.418174938.00007FF6A56C2000.00000002.00020000.sdmp, ProximityUxHost.exe.5.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
PE file contains sections with non-standard names
Source: 2qTIaOLW2o.dll Static PE information: section name: .qkm
Source: 2qTIaOLW2o.dll Static PE information: section name: .cvjb
Source: 2qTIaOLW2o.dll Static PE information: section name: .tlmkv
Source: 2qTIaOLW2o.dll Static PE information: section name: .wucsxe
Source: 2qTIaOLW2o.dll Static PE information: section name: .wnx
Source: 2qTIaOLW2o.dll Static PE information: section name: .weqy
Source: 2qTIaOLW2o.dll Static PE information: section name: .yby
Source: 2qTIaOLW2o.dll Static PE information: section name: .ormx
Source: 2qTIaOLW2o.dll Static PE information: section name: .dhclu
Source: 2qTIaOLW2o.dll Static PE information: section name: .xmiul
Source: 2qTIaOLW2o.dll Static PE information: section name: .tlwcxe
Source: 2qTIaOLW2o.dll Static PE information: section name: .get
Source: 2qTIaOLW2o.dll Static PE information: section name: .hzrd
Source: 2qTIaOLW2o.dll Static PE information: section name: .gfrpb
Source: 2qTIaOLW2o.dll Static PE information: section name: .ymlijr
Source: 2qTIaOLW2o.dll Static PE information: section name: .tntrb
Source: 2qTIaOLW2o.dll Static PE information: section name: .rmvhl
Source: 2qTIaOLW2o.dll Static PE information: section name: .ukcyi
Source: 2qTIaOLW2o.dll Static PE information: section name: .knmra
Source: 2qTIaOLW2o.dll Static PE information: section name: .wtn
Source: 2qTIaOLW2o.dll Static PE information: section name: .kjnw
Source: 2qTIaOLW2o.dll Static PE information: section name: .okpgp
Source: 2qTIaOLW2o.dll Static PE information: section name: .oxbitk
Source: 2qTIaOLW2o.dll Static PE information: section name: .dplkzo
Source: 2qTIaOLW2o.dll Static PE information: section name: .psnue
Source: 2qTIaOLW2o.dll Static PE information: section name: .lida
Source: 2qTIaOLW2o.dll Static PE information: section name: .arovjd
Source: 2qTIaOLW2o.dll Static PE information: section name: .xsnm
Source: SndVol.exe.5.dr Static PE information: section name: .imrsiv
Source: SndVol.exe.5.dr Static PE information: section name: .didat
Source: tabcal.exe.5.dr Static PE information: section name: .didat
Source: ProximityUxHost.exe.5.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.5.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.5.dr Static PE information: section name: .didat
Source: rdpinit.exe.5.dr Static PE information: section name: .imrsiv
Source: UxTheme.dll.5.dr Static PE information: section name: .qkm
Source: UxTheme.dll.5.dr Static PE information: section name: .cvjb
Source: UxTheme.dll.5.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll.5.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll.5.dr Static PE information: section name: .wnx
Source: UxTheme.dll.5.dr Static PE information: section name: .weqy
Source: UxTheme.dll.5.dr Static PE information: section name: .yby
Source: UxTheme.dll.5.dr Static PE information: section name: .ormx
Source: UxTheme.dll.5.dr Static PE information: section name: .dhclu
Source: UxTheme.dll.5.dr Static PE information: section name: .xmiul
Source: UxTheme.dll.5.dr Static PE information: section name: .tlwcxe
Source: UxTheme.dll.5.dr Static PE information: section name: .get
Source: UxTheme.dll.5.dr Static PE information: section name: .hzrd
Source: UxTheme.dll.5.dr Static PE information: section name: .gfrpb
Source: UxTheme.dll.5.dr Static PE information: section name: .ymlijr
Source: UxTheme.dll.5.dr Static PE information: section name: .tntrb
Source: UxTheme.dll.5.dr Static PE information: section name: .rmvhl
Source: UxTheme.dll.5.dr Static PE information: section name: .ukcyi
Source: UxTheme.dll.5.dr Static PE information: section name: .knmra
Source: UxTheme.dll.5.dr Static PE information: section name: .wtn
Source: UxTheme.dll.5.dr Static PE information: section name: .kjnw
Source: UxTheme.dll.5.dr Static PE information: section name: .okpgp
Source: UxTheme.dll.5.dr Static PE information: section name: .oxbitk
Source: UxTheme.dll.5.dr Static PE information: section name: .dplkzo
Source: UxTheme.dll.5.dr Static PE information: section name: .psnue
Source: UxTheme.dll.5.dr Static PE information: section name: .lida
Source: UxTheme.dll.5.dr Static PE information: section name: .arovjd
Source: UxTheme.dll.5.dr Static PE information: section name: .xsnm
Source: UxTheme.dll.5.dr Static PE information: section name: .kqfi
Source: HID.DLL.5.dr Static PE information: section name: .qkm
Source: HID.DLL.5.dr Static PE information: section name: .cvjb
Source: HID.DLL.5.dr Static PE information: section name: .tlmkv
Source: HID.DLL.5.dr Static PE information: section name: .wucsxe
Source: HID.DLL.5.dr Static PE information: section name: .wnx
Source: HID.DLL.5.dr Static PE information: section name: .weqy
Source: HID.DLL.5.dr Static PE information: section name: .yby
Source: HID.DLL.5.dr Static PE information: section name: .ormx
Source: HID.DLL.5.dr Static PE information: section name: .dhclu
Source: HID.DLL.5.dr Static PE information: section name: .xmiul
Source: HID.DLL.5.dr Static PE information: section name: .tlwcxe
Source: HID.DLL.5.dr Static PE information: section name: .get
Source: HID.DLL.5.dr Static PE information: section name: .hzrd
Source: HID.DLL.5.dr Static PE information: section name: .gfrpb
Source: HID.DLL.5.dr Static PE information: section name: .ymlijr
Source: HID.DLL.5.dr Static PE information: section name: .tntrb
Source: HID.DLL.5.dr Static PE information: section name: .rmvhl
Source: HID.DLL.5.dr Static PE information: section name: .ukcyi
Source: HID.DLL.5.dr Static PE information: section name: .knmra
Source: HID.DLL.5.dr Static PE information: section name: .wtn
Source: HID.DLL.5.dr Static PE information: section name: .kjnw
Source: HID.DLL.5.dr Static PE information: section name: .okpgp
Source: HID.DLL.5.dr Static PE information: section name: .oxbitk
Source: HID.DLL.5.dr Static PE information: section name: .dplkzo
Source: HID.DLL.5.dr Static PE information: section name: .psnue
Source: HID.DLL.5.dr Static PE information: section name: .lida
Source: HID.DLL.5.dr Static PE information: section name: .arovjd
Source: HID.DLL.5.dr Static PE information: section name: .xsnm
Source: HID.DLL.5.dr Static PE information: section name: .suz
Source: DUI70.dll.5.dr Static PE information: section name: .qkm
Source: DUI70.dll.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr Static PE information: section name: .wnx
Source: DUI70.dll.5.dr Static PE information: section name: .weqy
Source: DUI70.dll.5.dr Static PE information: section name: .yby
Source: DUI70.dll.5.dr Static PE information: section name: .ormx
Source: DUI70.dll.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll.5.dr Static PE information: section name: .get
Source: DUI70.dll.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll.5.dr Static PE information: section name: .gfrpb
Source: DUI70.dll.5.dr Static PE information: section name: .ymlijr
Source: DUI70.dll.5.dr Static PE information: section name: .tntrb
Source: DUI70.dll.5.dr Static PE information: section name: .rmvhl
Source: DUI70.dll.5.dr Static PE information: section name: .ukcyi
Source: DUI70.dll.5.dr Static PE information: section name: .knmra
Source: DUI70.dll.5.dr Static PE information: section name: .wtn
Source: DUI70.dll.5.dr Static PE information: section name: .kjnw
Source: DUI70.dll.5.dr Static PE information: section name: .okpgp
Source: DUI70.dll.5.dr Static PE information: section name: .oxbitk
Source: DUI70.dll.5.dr Static PE information: section name: .dplkzo
Source: DUI70.dll.5.dr Static PE information: section name: .psnue
Source: DUI70.dll.5.dr Static PE information: section name: .lida
Source: DUI70.dll.5.dr Static PE information: section name: .arovjd
Source: DUI70.dll.5.dr Static PE information: section name: .xsnm
Source: DUI70.dll.5.dr Static PE information: section name: .amc
Source: SLC.dll.5.dr Static PE information: section name: .qkm
Source: SLC.dll.5.dr Static PE information: section name: .cvjb
Source: SLC.dll.5.dr Static PE information: section name: .tlmkv
Source: SLC.dll.5.dr Static PE information: section name: .wucsxe
Source: SLC.dll.5.dr Static PE information: section name: .wnx
Source: SLC.dll.5.dr Static PE information: section name: .weqy
Source: SLC.dll.5.dr Static PE information: section name: .yby
Source: SLC.dll.5.dr Static PE information: section name: .ormx
Source: SLC.dll.5.dr Static PE information: section name: .dhclu
Source: SLC.dll.5.dr Static PE information: section name: .xmiul
Source: SLC.dll.5.dr Static PE information: section name: .tlwcxe
Source: SLC.dll.5.dr Static PE information: section name: .get
Source: SLC.dll.5.dr Static PE information: section name: .hzrd
Source: SLC.dll.5.dr Static PE information: section name: .gfrpb
Source: SLC.dll.5.dr Static PE information: section name: .ymlijr
Source: SLC.dll.5.dr Static PE information: section name: .tntrb
Source: SLC.dll.5.dr Static PE information: section name: .rmvhl
Source: SLC.dll.5.dr Static PE information: section name: .ukcyi
Source: SLC.dll.5.dr Static PE information: section name: .knmra
Source: SLC.dll.5.dr Static PE information: section name: .wtn
Source: SLC.dll.5.dr Static PE information: section name: .kjnw
Source: SLC.dll.5.dr Static PE information: section name: .okpgp
Source: SLC.dll.5.dr Static PE information: section name: .oxbitk
Source: SLC.dll.5.dr Static PE information: section name: .dplkzo
Source: SLC.dll.5.dr Static PE information: section name: .psnue
Source: SLC.dll.5.dr Static PE information: section name: .lida
Source: SLC.dll.5.dr Static PE information: section name: .arovjd
Source: SLC.dll.5.dr Static PE information: section name: .xsnm
Source: SLC.dll.5.dr Static PE information: section name: .jsl
Source: DUI70.dll0.5.dr Static PE information: section name: .qkm
Source: DUI70.dll0.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.5.dr Static PE information: section name: .wnx
Source: DUI70.dll0.5.dr Static PE information: section name: .weqy
Source: DUI70.dll0.5.dr Static PE information: section name: .yby
Source: DUI70.dll0.5.dr Static PE information: section name: .ormx
Source: DUI70.dll0.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll0.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll0.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll0.5.dr Static PE information: section name: .get
Source: DUI70.dll0.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll0.5.dr Static PE information: section name: .gfrpb
Source: DUI70.dll0.5.dr Static PE information: section name: .ymlijr
Source: DUI70.dll0.5.dr Static PE information: section name: .tntrb
Source: DUI70.dll0.5.dr Static PE information: section name: .rmvhl
Source: DUI70.dll0.5.dr Static PE information: section name: .ukcyi
Source: DUI70.dll0.5.dr Static PE information: section name: .knmra
Source: DUI70.dll0.5.dr Static PE information: section name: .wtn
Source: DUI70.dll0.5.dr Static PE information: section name: .kjnw
Source: DUI70.dll0.5.dr Static PE information: section name: .okpgp
Source: DUI70.dll0.5.dr Static PE information: section name: .oxbitk
Source: DUI70.dll0.5.dr Static PE information: section name: .dplkzo
Source: DUI70.dll0.5.dr Static PE information: section name: .psnue
Source: DUI70.dll0.5.dr Static PE information: section name: .lida
Source: DUI70.dll0.5.dr Static PE information: section name: .arovjd
Source: DUI70.dll0.5.dr Static PE information: section name: .xsnm
Source: DUI70.dll0.5.dr Static PE information: section name: .jxxke
Source: DUI70.dll1.5.dr Static PE information: section name: .qkm
Source: DUI70.dll1.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll1.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll1.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll1.5.dr Static PE information: section name: .wnx
Source: DUI70.dll1.5.dr Static PE information: section name: .weqy
Source: DUI70.dll1.5.dr Static PE information: section name: .yby
Source: DUI70.dll1.5.dr Static PE information: section name: .ormx
Source: DUI70.dll1.5.dr Static PE information: section name: .dhclu
Source: DUI70.dll1.5.dr Static PE information: section name: .xmiul
Source: DUI70.dll1.5.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll1.5.dr Static PE information: section name: .get
Source: DUI70.dll1.5.dr Static PE information: section name: .hzrd
Source: DUI70.dll1.5.dr Static PE information: section name: .gfrpb
Source: DUI70.dll1.5.dr Static PE information: section name: .ymlijr
Source: DUI70.dll1.5.dr Static PE information: section name: .tntrb
Source: DUI70.dll1.5.dr Static PE information: section name: .rmvhl
Source: DUI70.dll1.5.dr Static PE information: section name: .ukcyi
Source: DUI70.dll1.5.dr Static PE information: section name: .knmra
Source: DUI70.dll1.5.dr Static PE information: section name: .wtn
Source: DUI70.dll1.5.dr Static PE information: section name: .kjnw
Source: DUI70.dll1.5.dr Static PE information: section name: .okpgp
Source: DUI70.dll1.5.dr Static PE information: section name: .oxbitk
Source: DUI70.dll1.5.dr Static PE information: section name: .dplkzo
Source: DUI70.dll1.5.dr Static PE information: section name: .psnue
Source: DUI70.dll1.5.dr Static PE information: section name: .lida
Source: DUI70.dll1.5.dr Static PE information: section name: .arovjd
Source: DUI70.dll1.5.dr Static PE information: section name: .xsnm
Source: DUI70.dll1.5.dr Static PE information: section name: .ddia
Source: SYSDM.CPL.5.dr Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr Static PE information: section name: .wnx
Source: SYSDM.CPL.5.dr Static PE information: section name: .weqy
Source: SYSDM.CPL.5.dr Static PE information: section name: .yby
Source: SYSDM.CPL.5.dr Static PE information: section name: .ormx
Source: SYSDM.CPL.5.dr Static PE information: section name: .dhclu
Source: SYSDM.CPL.5.dr Static PE information: section name: .xmiul
Source: SYSDM.CPL.5.dr Static PE information: section name: .tlwcxe
Source: SYSDM.CPL.5.dr Static PE information: section name: .get
Source: SYSDM.CPL.5.dr Static PE information: section name: .hzrd
Source: SYSDM.CPL.5.dr Static PE information: section name: .gfrpb
Source: SYSDM.CPL.5.dr Static PE information: section name: .ymlijr
Source: SYSDM.CPL.5.dr Static PE information: section name: .tntrb
Source: SYSDM.CPL.5.dr Static PE information: section name: .rmvhl
Source: SYSDM.CPL.5.dr Static PE information: section name: .ukcyi
Source: SYSDM.CPL.5.dr Static PE information: section name: .knmra
Source: SYSDM.CPL.5.dr Static PE information: section name: .wtn
Source: SYSDM.CPL.5.dr Static PE information: section name: .kjnw
Source: SYSDM.CPL.5.dr Static PE information: section name: .okpgp
Source: SYSDM.CPL.5.dr Static PE information: section name: .oxbitk
Source: SYSDM.CPL.5.dr Static PE information: section name: .dplkzo
Source: SYSDM.CPL.5.dr Static PE information: section name: .psnue
Source: SYSDM.CPL.5.dr Static PE information: section name: .lida
Source: SYSDM.CPL.5.dr Static PE information: section name: .arovjd
Source: SYSDM.CPL.5.dr Static PE information: section name: .xsnm
Source: SYSDM.CPL.5.dr Static PE information: section name: .cav
Source: dwmapi.dll.5.dr Static PE information: section name: .qkm
Source: dwmapi.dll.5.dr Static PE information: section name: .cvjb
Source: dwmapi.dll.5.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll.5.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll.5.dr Static PE information: section name: .wnx
Source: dwmapi.dll.5.dr Static PE information: section name: .weqy
Source: dwmapi.dll.5.dr Static PE information: section name: .yby
Source: dwmapi.dll.5.dr Static PE information: section name: .ormx
Source: dwmapi.dll.5.dr Static PE information: section name: .dhclu
Source: dwmapi.dll.5.dr Static PE information: section name: .xmiul
Source: dwmapi.dll.5.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll.5.dr Static PE information: section name: .get
Source: dwmapi.dll.5.dr Static PE information: section name: .hzrd
Source: dwmapi.dll.5.dr Static PE information: section name: .gfrpb
Source: dwmapi.dll.5.dr Static PE information: section name: .ymlijr
Source: dwmapi.dll.5.dr Static PE information: section name: .tntrb
Source: dwmapi.dll.5.dr Static PE information: section name: .rmvhl
Source: dwmapi.dll.5.dr Static PE information: section name: .ukcyi
Source: dwmapi.dll.5.dr Static PE information: section name: .knmra
Source: dwmapi.dll.5.dr Static PE information: section name: .wtn
Source: dwmapi.dll.5.dr Static PE information: section name: .kjnw
Source: dwmapi.dll.5.dr Static PE information: section name: .okpgp
Source: dwmapi.dll.5.dr Static PE information: section name: .oxbitk
Source: dwmapi.dll.5.dr Static PE information: section name: .dplkzo
Source: dwmapi.dll.5.dr Static PE information: section name: .psnue
Source: dwmapi.dll.5.dr Static PE information: section name: .lida
Source: dwmapi.dll.5.dr Static PE information: section name: .arovjd
Source: dwmapi.dll.5.dr Static PE information: section name: .xsnm
Source: dwmapi.dll.5.dr Static PE information: section name: .ebzjsb
Source: dwmapi.dll0.5.dr Static PE information: section name: .qkm
Source: dwmapi.dll0.5.dr Static PE information: section name: .cvjb
Source: dwmapi.dll0.5.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll0.5.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll0.5.dr Static PE information: section name: .wnx
Source: dwmapi.dll0.5.dr Static PE information: section name: .weqy
Source: dwmapi.dll0.5.dr Static PE information: section name: .yby
Source: dwmapi.dll0.5.dr Static PE information: section name: .ormx
Source: dwmapi.dll0.5.dr Static PE information: section name: .dhclu
Source: dwmapi.dll0.5.dr Static PE information: section name: .xmiul
Source: dwmapi.dll0.5.dr Static PE information: section name: .tlwcxe
Source: dwmapi.dll0.5.dr Static PE information: section name: .get
Source: dwmapi.dll0.5.dr Static PE information: section name: .hzrd
Source: dwmapi.dll0.5.dr Static PE information: section name: .gfrpb
Source: dwmapi.dll0.5.dr Static PE information: section name: .ymlijr
Source: dwmapi.dll0.5.dr Static PE information: section name: .tntrb
Source: dwmapi.dll0.5.dr Static PE information: section name: .rmvhl
Source: dwmapi.dll0.5.dr Static PE information: section name: .ukcyi
Source: dwmapi.dll0.5.dr Static PE information: section name: .knmra
Source: dwmapi.dll0.5.dr Static PE information: section name: .wtn
Source: dwmapi.dll0.5.dr Static PE information: section name: .kjnw
Source: dwmapi.dll0.5.dr Static PE information: section name: .okpgp
Source: dwmapi.dll0.5.dr Static PE information: section name: .oxbitk
Source: dwmapi.dll0.5.dr Static PE information: section name: .dplkzo
Source: dwmapi.dll0.5.dr Static PE information: section name: .psnue
Source: dwmapi.dll0.5.dr Static PE information: section name: .lida
Source: dwmapi.dll0.5.dr Static PE information: section name: .arovjd
Source: dwmapi.dll0.5.dr Static PE information: section name: .xsnm
Source: dwmapi.dll0.5.dr Static PE information: section name: .guwfpe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wnx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .weqy
Source: WTSAPI32.dll.5.dr Static PE information: section name: .yby
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ormx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dhclu
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xmiul
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlwcxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .get
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hzrd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .gfrpb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ymlijr
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tntrb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rmvhl
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ukcyi
Source: WTSAPI32.dll.5.dr Static PE information: section name: .knmra
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wtn
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kjnw
Source: WTSAPI32.dll.5.dr Static PE information: section name: .okpgp
Source: WTSAPI32.dll.5.dr Static PE information: section name: .oxbitk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dplkzo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .psnue
Source: WTSAPI32.dll.5.dr Static PE information: section name: .lida
Source: WTSAPI32.dll.5.dr Static PE information: section name: .arovjd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xsnm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ewk
PE file contains an invalid checksum
Source: DUI70.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1ba3da
Source: DUI70.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1c3a86
Source: WTSAPI32.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17e741
Source: HID.DLL.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x176730
Source: DUI70.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1bcde0
Source: SYSDM.CPL.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17267b
Source: SLC.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1765b4
Source: UxTheme.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17aa1e
Source: dwmapi.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x175795
Source: 2qTIaOLW2o.dll Static PE information: real checksum: 0x7d786c40 should be: 0x17290a
Source: dwmapi.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x171021
Binary contains a suspicious time stamp
Source: SndVol.exe.5.dr Static PE information: 0x6E534A77 [Sun Aug 27 01:25:11 2028 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hbyq\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\y7FgRNmA\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xOu8\LockScreenContentServer.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rPj\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\N52IORg\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\cAlXLQGkN\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ScS40sYu\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xOu8\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\52smNq1W\SLC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hbyq\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\CsJaRZ\HID.DLL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ScS40sYu\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\N52IORg\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\famGrLP\DUI70.dll Jump to dropped file

Boot Survival:

barindex
Stores files to the Windows start menu directory
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\kbiogkuS0 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4460 Thread sleep count: 36 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\xOu8\LockScreenContentServer.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\N52IORg\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\ScS40sYu\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\N52IORg\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2466334 #620,#624,#6050,#1040,#1040,#4436,#1122,#1040,#624,#1259,#1040,#626,FindFirstFileW,#624,#1259,#1262,#1122,#1040,#1040,#1040,_wcsicmp,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,#624,#1259,#1040,FindFirstFileW,#622,#624,#624,#1259,#1259,#1040,#1040,#1040,#1040,#1040,FindNextFileW,FindClose,RemoveDirectoryW,#1040,#1040,#1040,#1040, 33_2_00007FF7B2466334
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24672AC #624,FindFirstFileW,FindClose,#6050,_wcsicmp,#1040,#1463,_wcsicmp,#624,CreateFileW,GetFileSize,ReadFile,CloseHandle,#1040,CreateFileW,#6886,CloseHandle,#6886,_wcsicmp,#626,#624,#1040,#624,#1122,SetupIterateCabinetW,#1040,#626,#626,RegOpenKeyExW,RegGetValueW,#1126,RegCloseKey,#1040,#1040,#1040,RegOpenKeyExW,#624,#2975,RegSetValueExW,#1122,RegCloseKey,#1040,RegCloseKey,#620,#620,#628,#1042,#1040,#1040,#622,#1259,#1122,#1040,#1040,#1284,#2783,#1040,#1040,#1040,#1042,#1040,#1040,#1040,#1040,#1040,#1040,GetLastError,#626,#626,#4473,#4473,#1287,#1287,MessageBoxW,#1040,#1040,#1040, 33_2_00007FF7B24672AC
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B2465DE8 #626,#626,#1122,#624,#6050,#1040,#1040,#624,#1284,#1040,#1259,#1122,#1040,FindFirstFileW,#624,#1259,#1358,#1040,#1040,FindNextFileW,FindClose,#624,#1259,#1122,#1040,#1040,FindFirstFileW,#624,#1259,#1040,#1040,FindNextFileW,FindClose,#1040,#1040, 33_2_00007FF7B2465DE8
Source: explorer.exe, 00000005.00000000.286592202.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.286592202.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.245879634.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.286650607.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.248330423.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.286650607.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D21D0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 22_2_00007FF6153D21D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153D3288 WaitForSingleObjectEx,GetLastError,CloseHandle,SetLastError,GetLastError,CloseHandle,SetLastError,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex, 22_2_00007FF6153D3288
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153EEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00007FF6153EEE40
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153EF2E0 SetUnhandledExceptionFilter, 22_2_00007FF6153EF2E0
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB159094 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF6FB159094
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB159290 SetUnhandledExceptionFilter, 24_2_00007FF6FB159290
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56C09B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF6A56C09B4
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56C0740 SetUnhandledExceptionFilter, 28_2_00007FF6A56C0740
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246D120 SetUnhandledExceptionFilter, 33_2_00007FF7B246D120
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B246CE08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF7B246CE08
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Code function: 35_2_00007FF6882C2BE0 SetUnhandledExceptionFilter, 35_2_00007FF6882C2BE0
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Code function: 35_2_00007FF6882C29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00007FF6882C29D0
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Code function: 38_2_00007FF6751029D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00007FF6751029D0
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Code function: 38_2_00007FF675102BE0 SetUnhandledExceptionFilter, 38_2_00007FF675102BE0
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Code function: 40_2_00007FF6052516E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_00007FF6052516E4
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Code function: 40_2_00007FF605251460 SetUnhandledExceptionFilter, 40_2_00007FF605251460

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: UxTheme.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153DA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 22_2_00007FF6153DA5C8
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153DA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 22_2_00007FF6153DA5C8
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Code function: 24_2_00007FF6FB1515D0 GetModuleFileNameW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,ShellExecuteW,GetProcessHeap,HeapFree,LocalFree, 24_2_00007FF6FB1515D0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2qTIaOLW2o.dll',#1 Jump to behavior
Source: explorer.exe, 00000005.00000000.293621445.0000000001640000.00000002.00020000.sdmp, SndVol.exe Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.293621445.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.293621445.0000000001640000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.245752691.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: SndVol.exe, 00000016.00000002.353824217.00007FF6153F2000.00000002.00020000.sdmp, SndVol.exe.5.dr Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: rdpinit.exe.5.dr Binary or memory string: Initialize failedDwmpGetColorizationParameters failedDwmpSetColorizationParametersCRdpTrayTaskbarCreatedShell_TrayWndRdptrayTSCreateAppbarTrayFN failedTSCreateShellNotifyTrayFN failedTSCreateTaskbarTrayFn failedTSCreateWindowCloakingTracker failedFailed g_RailOrderEncoder.InitializeFailed g_RailOrderEncoder.StartUpdating max icon size for the tray icon failed.m_spAppBarTrayFnm_spWindowCloakingTrackerRemoveWindow failedRemoveDestroyedWindows failed~/
Source: explorer.exe, 00000005.00000000.293621445.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.293621445.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\CsJaRZ\tabcal.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\famGrLP\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\y7FgRNmA\dpapimig.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hbyq\SystemPropertiesPerformance.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free, 22_2_00007FF6153E9EF4
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,memset,#626,#626,#2846,#2846,GetNumberFormatW,#624,#1040,#1040, 33_2_00007FF7B2459CEC
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: #624,#1463,#6708,#626,#2846,#1122,#2846,#1095,#2629,GetDateFormatW,#1126,#2841,#1122,#4473,#4473,#1122,wcstoul,GetLocaleInfoW,#4473,#4473,#4473,#4473,#4473,#626,#1122,memset,StrFormatByteSizeEx,#1126,#2846,#1122,#1040,#1264,#1284,#1264,#1284,#1264,#1284,#1264,#1284,#1264,#1284,#1040,#1264,#1262,#1259,#1262,#1284,#1040,#1040,#1040,#1040,#1040,#1122,#4523,#4521,#6708,#1095,#2629,GetDateFormatW,#1126,GetTimeFormatW,#624,#624,#1259,#1284,#1040,#1040,#1040,#2841,#1122,#1040,#1122,#1040,#1122,#624,#2783,#6216,#2846,#1040,#1040, 33_2_00007FF7B2459E90
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\cAlXLQGkN\SndVol.exe Code function: 22_2_00007FF6153EF470 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 22_2_00007FF6153EF470
Source: C:\Users\user\AppData\Local\52smNq1W\msinfo32.exe Code function: 33_2_00007FF7B24589B8 #626,#624,GetVersionExW,#624,#620, 33_2_00007FF7B24589B8

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\rPj\ProximityUxHost.exe Code function: 28_2_00007FF6A56AC8A0 TlsGetValue,TlsSetValue,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z,?AccessibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z,?_ZeroRelease@Value@DirectUI@@AEAAXXZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetClassInfoPtr@ModernProgressBar@DirectUI@@SAPEAUIClassInfo@2@XZ,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,TlsGetValue,TlsSetValue, 28_2_00007FF6A56AC8A0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492663 Sample: 2qTIaOLW2o Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 loaddll64.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        process5 19 rundll32.exe 11->19         started        signatures6 51 Changes memory attributes in foreign processes to executable or writable 19->51 53 Uses Atom Bombing / ProGate to inject into other processes 19->53 55 Queues an APC in another process (thread injection) 19->55 22 explorer.exe 2 61 19->22 injected process7 file8 35 C:\Users\user\AppData\Local\hbyq\SYSDM.CPL, PE32+ 22->35 dropped 37 C:\Users\user\AppData\Local\...\DUI70.dll, PE32+ 22->37 dropped 39 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 22->39 dropped 41 17 other files (6 malicious) 22->41 dropped 57 Benign windows process drops PE files 22->57 26 tabcal.exe 22->26         started        29 SndVol.exe 22->29         started        31 ProximityUxHost.exe 22->31         started        33 11 other processes 22->33 signatures9 process10 signatures11 59 Contains functionality to hide windows to a different desktop 26->59 61 Contains functionality to automate explorer (e.g. start an application) 29->61
No contacted IP infos