Play interactive tour

Edit tour

Windows Analysis Report rPP7AHsBQt

Overview

General Information

Sample Name:	rPP7AHsBQt (renamed file extension from none to dll)
Analysis ID:	492692
MD5:	6966f6e2c68c1f536d63b50bb966c031
SHA1:	c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256:	67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Queues an APC in another process (thread injection)

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Binary contains a suspicious time stamp

Potential key logger detected (key state polling based)

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5548 cmdline: loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 4312 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5560 cmdline: rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2716 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RDVGHelper.exe (PID: 6456 cmdline: C:\Windows\system32\RDVGHelper.exe MD5: 0BF1E2262C95164A0B244174167FBD85)

RDVGHelper.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe MD5: 0BF1E2262C95164A0B244174167FBD85)

wusa.exe (PID: 6884 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

wusa.exe (PID: 6940 cmdline: C:\Users\user\AppData\Local\v74M\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

Dxpserver.exe (PID: 3476 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

Dxpserver.exe (PID: 4116 cmdline: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

InfDefaultInstall.exe (PID: 6700 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)

InfDefaultInstall.exe (PID: 6708 cmdline: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)

sethc.exe (PID: 7036 cmdline: C:\Windows\system32\sethc.exe MD5: 1C0BF0B710016600C9D9F23CC7103C0A)

sethc.exe (PID: 7068 cmdline: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe MD5: 1C0BF0B710016600C9D9F23CC7103C0A)

DevicePairingWizard.exe (PID: 6340 cmdline: C:\Windows\system32\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)

DevicePairingWizard.exe (PID: 5596 cmdline: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)

rundll32.exe (PID: 1748 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: rPP7AHsBQt.dll	Metadefender: Detection: 60%			Perma Link
Source: rPP7AHsBQt.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Show sources

Source: rPP7AHsBQt.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\AzSj\newdev.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDEFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDF224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,

Source: rPP7AHsBQt.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: wusa.pdb source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: wscript.pdbGCTL source: wscript.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: sethc.pdbGCTL source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: wbengine.pdb source: wbengine.exe.7.dr
Source:	Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: wscript.pdb source: wscript.exe.7.dr
Source:	Binary string: sethc.pdb source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: RDVGHelper.pdb source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,

Source: explorer.exe, 00000007.00000000.302989833.0000000008CBE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.coG
Source: explorer.exe, 00000007.00000000.298400230.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe

Code function: 38_2_00007FF61C026DE0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput,

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF7877793E0
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787771608
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787774530
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787772378
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598780
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6599910
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D659356C
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65923F0
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D659A0FC
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6593D88
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6595EA4
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED2900
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC8CC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB5CB8
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EBAC8C
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDBC70
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECA064
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECF460
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC3C38
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED1000
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB7404
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED8BE0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDEFCC
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED0790
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED6740
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB5330
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC1B14
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDD6F0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EBB2C0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED3E80
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED4A44
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB4A44
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDF224
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ECCE20
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB661C
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDC5F0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7ED5DC0
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC7170
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB2950
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EC3554
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1078
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C023E00
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C025504
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C021524
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D31D0

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: String function: 00007FF6D6599520 appears 162 times

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6593A2C memset,GetSystemDirectoryW,wcsrchr,memset,CreateProcessAsUserW,GetLastError,WaitForSingleObject,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,CloseHandle,CloseHandle,LocalFree,

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02A38C NtQueryWnfStateData,

Source: RdpSaUacHelper.exe.7.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: rPP7AHsBQt.dll

Binary or memory string: OriginalFilenamekbdyj% vs rPP7AHsBQt.dll

Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: rPP7AHsBQt.dll	Static PE information: Number of sections : 34 > 10
Source: WTSAPI32.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: wer.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: WINSTA.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: VERSION.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: newdev.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: WTSAPI32.dll0.7.dr	Static PE information: Number of sections : 35 > 10
Source: dwmapi.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: OLEACC.dll.7.dr	Static PE information: Number of sections : 35 > 10
Source: MFC42u.dll.7.dr	Static PE information: Number of sections : 35 > 10

Source: rPP7AHsBQt.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newdev.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rPP7AHsBQt.dll	Metadefender: Detection: 60%
Source: rPP7AHsBQt.dll	ReversingLabs: Detection: 75%

Source: rPP7AHsBQt.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RDVGHelper.exe C:\Windows\system32\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\v74M\wusa.exe C:\Users\user\AppData\Local\v74M\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sethc.exe C:\Windows\system32\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RDVGHelper.exe C:\Windows\system32\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\v74M\wusa.exe C:\Users\user\AppData\Local\v74M\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sethc.exe C:\Windows\system32\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6595438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Jump to behavior

Source: Dxpserver.exe.7.dr	Binary string: FNULL%s\....Device%s\%s%s%s\%s%s\Device\%s%s\Device
Source: wbengine.exe.7.dr	Binary string: 3Z((HANDLE)(LONG_PTR)-1) != hFilebase\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cppExtractVolumePath(ssPath, ssVolumePath)SplitDirPath( ssDirPath, ssParentDir, ssDirName )GetParentPaths(ssPath, arrstrPaths)ssDirPath.Length() != 0base\stor\blb\dsm\dsmutils\dll\fsutils.cpppstrPath != 0pstrName != 0CLOCK$COMLPTCONPRNAUXNUL\\?\GLOBALROOT\Device\base\stor\blb\dsm\dsmutils\dll\fsutils.cppInvalid path:%lsssPath.Length() > 0GetVolumePrefixLength failed for %lsFailed to parse path:%lsExtractVolumePath(ssWorkingPath, ssVolumePath)ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'(((HRESULT)(hrReason)) < 0)pstrPath && pstrPath[0]pfIsReparsedppstrReparsePtPath && (ppstrReparsePtPath == 0)GetFileAttributes() failed on:%lsIsPathMountPoint(ssPath.PeekStr(), &fMountPoint)pszVolumePath != 0phVolume != 0ssVolumePath[ssVolumePath.Length() - 1] == L'\\'Failed to open volume:%ls((HANDLE)(LONG_PTR)-1) == hVolumeppstrPath && ppstrPath == 0dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'0 != pdwFileAttributesGetFileInformationByHandle(hFile, &fileInfo)0 != lpstrFilePathCreateFile unsuccessful for %wsFSWrapperGetFileAttributes(hFile, pdwFileAttributes)0 != pFileAttributesGetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))GetFileSize failed for %ws((DWORD)-1) != dwFileAttributesGetFileInformationByHandleEx failedSetFileInformationByHandle failedFSWrapperSetFileAttributes(hFile, dwFileAttributes)SplitDirPath(strPath, strParent, strChild)Path %S is invalid as it contains a '.' or '..', hr=0x%08xHRESULT_FROM_WIN32(GetLastError())wszPath && wszPath[0]pfIsPathMountPoint
Source: wbengine.exe.7.dr	Binary string: abase\stor\blb\engine\blbengutils\blbvolumeutils.cpppbFloppypguidVolumeId != NULLpbIsCritical != NULLpguidVolumeIdwszMountedDeviceNamewszVolumeGuidpwszReparsePointName\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%dWsbMountedVolumeFile%lu_%spVolumeCatrgVolumeLocalwszVolumeGuidPathpwszVolumeGlobalRootPathVolume%ws\\?\GLOBALROOT%wspdwlJournalIdplastUsnwszVolumeName && *wszVolumeNamepbPerformResizepdwlUsnSizevssSnapshotId != GUID_NULLdwlJournalId != BLB_INVALID_USN_JOURNAL_IDusnBeforeSnapShot != BLB_INVALID_USN_IDwszBackupSetDirectorypwszVhdPathwszVolumeName != NULLpbIsVolumeOnSharedDisk != NULLpbIsCSVpdwVolumeNumber?UV9
Source: wbengine.exe.7.dr	Binary string: base\stor\blb\catalog\compare.cpprowid1 != rowid2pKey->m_type == pCol->m_typepRow1 > pRow2_hImpersonationToken != INVALID_HANDLE_VALUEbase\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsuCurrentBit < HintSpaceBitmapSizeExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecovery\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\{{3808876B-C176-4e48-B7AE-04046E6CC752}ReplicationContext->FirstBlock != NULLIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGBackupFileName != NULLReplicationHandleReplicationContext != NULLoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSizereadBuffer != NULL\pagefile.sys\hiberfil.sys!IsListEmpty(&diffsInSource){IQ
Source: wbengine.exe.7.dr	Binary string: e\\?\Globalroot\Device\Harddisk%lu\Partition1\\?\Globalroot\Device\Harddisk%lu\Partition2\\?\Globalroot\Device\HarddiskVolume%luChild_{47b7fa87-ce42-48ff-8b18-2f1088121503}WindowsBackupLinksbase\stor\blb\engine\blbengutils\blbvhdhelper.cppwszVhdFile && wszVhdFilepwszVolumeDevicePathwszDiskPath && wszDiskPathpwszVolumePathwszMountedDeviceName && wszMountedDeviceNamepCBlbVhdwszMountedVolumePathNoSlash && wszMountedVolumePathNoSlashpVhdContextpVhdContextForRemovalwszVolumeDevicePath && wszVolumeDevicePathppVhdContextpVhdContext->m_pCBlbVhdsdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 \|\| sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfopbIsVolVirtualppStorageDepInfowszTargetVolName && wszTargetVolNamewszVirtualSrcVolName && wszVirtualSrcVolNamepbIsVirtualSrcVolDependantpVolumeVHDInfo != NULLpstDepInfo != NULLpstDepInfoType2MaxAncestor != NULLpwszDiffVhdFilePath && pwszVhdTempPath%ws_%ws_%wspProgressReportCallbackContextwszVHDVolumeDevicePathpbCompactionRequiredwszVhdFilepGuidSnapshotIdwszVHDVolumeDevicePath && wszVHDVolumeDevicePathpdwVHDDeviceDiskNumberpVhdHandle

Source: classification engine

Classification label: mal96.troj.evad.winDLL@41/19@0/1

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D65923F0 CoInitializeEx,CoCreateInstance,CoCreateInstance,SysAllocString,SysAllocString,VariantInit,RegCreateKeyExW,RegSetValueExW,ShowWindow,GetCommandLineW,EventWrite,SysFreeString,SysFreeString,SysFreeString,SysFreeString,RegCloseKey,CoUninitialize,LocalFree,

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6594EA8 FormatMessageW,GetLastError,wcsrchr,LocalFree,

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue

Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Mutant created: \Sessions\1\BaseNamedObjects\{64861cbe-e0eb-8b07-73e1-c85e5ae3b186}
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Mutant created: \Sessions\1\BaseNamedObjects\{643c605e-c57f-c264-fd43-c1594ee41ce2}

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EB5CB8 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,memset,GetModuleFileNameW,

Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box

Source: rPP7AHsBQt.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: rPP7AHsBQt.dll

Static file information: File size 1777664 > 1048576

Source: rPP7AHsBQt.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: wusa.pdb source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp, wusa.exe.7.dr
Source:	Binary string: wscript.pdbGCTL source: wscript.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: sethc.pdbGCTL source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.7.dr
Source:	Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000024.00000002.462413235.00007FF6EE8A2000.00000002.00020000.sdmp, InfDefaultInstall.exe.7.dr
Source:	Binary string: wbengine.pdb source: wbengine.exe.7.dr
Source:	Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: wscript.pdb source: wscript.exe.7.dr
Source:	Binary string: sethc.pdb source: sethc.exe, 00000026.00000002.495085646.00007FF61C02C000.00000002.00020000.sdmp, sethc.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr
Source:	Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe.7.dr
Source:	Binary string: RDVGHelper.pdb source: RDVGHelper.exe, 00000017.00000002.377322728.00007FF787786000.00000002.00020000.sdmp, RDVGHelper.exe.7.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001F.00000000.413263469.00007FF7D7EE1000.00000002.00020000.sdmp, Dxpserver.exe.7.dr
Source:	Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000029.00000000.508573179.00007FF6159D7000.00000002.00020000.sdmp, DevicePairingWizard.exe.7.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF78777B652 push rcx; ret
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A15F8 push rbx; retf
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A1964 push rbx; iretd

Source: rPP7AHsBQt.dll	Static PE information: section name: .qkm
Source: rPP7AHsBQt.dll	Static PE information: section name: .cvjb
Source: rPP7AHsBQt.dll	Static PE information: section name: .tlmkv
Source: rPP7AHsBQt.dll	Static PE information: section name: .wucsxe
Source: rPP7AHsBQt.dll	Static PE information: section name: .fltwtj
Source: rPP7AHsBQt.dll	Static PE information: section name: .tblq
Source: rPP7AHsBQt.dll	Static PE information: section name: .hcmjm
Source: rPP7AHsBQt.dll	Static PE information: section name: .nagyk
Source: rPP7AHsBQt.dll	Static PE information: section name: .jrucz
Source: rPP7AHsBQt.dll	Static PE information: section name: .rnr
Source: rPP7AHsBQt.dll	Static PE information: section name: .ths
Source: rPP7AHsBQt.dll	Static PE information: section name: .vyfudm
Source: rPP7AHsBQt.dll	Static PE information: section name: .bejn
Source: rPP7AHsBQt.dll	Static PE information: section name: .lxdw
Source: rPP7AHsBQt.dll	Static PE information: section name: .uffn
Source: rPP7AHsBQt.dll	Static PE information: section name: .cbmla
Source: rPP7AHsBQt.dll	Static PE information: section name: .fcy
Source: rPP7AHsBQt.dll	Static PE information: section name: .aady
Source: rPP7AHsBQt.dll	Static PE information: section name: .pqe
Source: rPP7AHsBQt.dll	Static PE information: section name: .zfem
Source: rPP7AHsBQt.dll	Static PE information: section name: .ila
Source: rPP7AHsBQt.dll	Static PE information: section name: .ygqg
Source: rPP7AHsBQt.dll	Static PE information: section name: .onr
Source: rPP7AHsBQt.dll	Static PE information: section name: .brn
Source: rPP7AHsBQt.dll	Static PE information: section name: .zch
Source: rPP7AHsBQt.dll	Static PE information: section name: .yithue
Source: rPP7AHsBQt.dll	Static PE information: section name: .jxyn
Source: rPP7AHsBQt.dll	Static PE information: section name: .bvk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .tblq
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .hcmjm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .nagyk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .jrucz
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .rnr
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ths
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .vyfudm
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .bejn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .lxdw
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .uffn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .cbmla
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .fcy
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .aady
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .pqe
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .zfem
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ila
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .ygqg
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .onr
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .brn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .zch
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .yithue
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .jxyn
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .bvk
Source: WTSAPI32.dll.7.dr	Static PE information: section name: .pcgp
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .tblq
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .hcmjm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .nagyk
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .jrucz
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .rnr
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ths
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .vyfudm
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bejn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .lxdw
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .uffn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .cbmla
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .fcy
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .aady
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .pqe
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .zfem
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ila
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .ygqg
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .onr
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .brn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .zch
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .yithue
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .jxyn
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bvk
Source: WTSAPI32.dll0.7.dr	Static PE information: section name: .bsdm
Source: dwmapi.dll.7.dr	Static PE information: section name: .qkm
Source: dwmapi.dll.7.dr	Static PE information: section name: .cvjb
Source: dwmapi.dll.7.dr	Static PE information: section name: .tlmkv
Source: dwmapi.dll.7.dr	Static PE information: section name: .wucsxe
Source: dwmapi.dll.7.dr	Static PE information: section name: .fltwtj
Source: dwmapi.dll.7.dr	Static PE information: section name: .tblq
Source: dwmapi.dll.7.dr	Static PE information: section name: .hcmjm
Source: dwmapi.dll.7.dr	Static PE information: section name: .nagyk
Source: dwmapi.dll.7.dr	Static PE information: section name: .jrucz
Source: dwmapi.dll.7.dr	Static PE information: section name: .rnr
Source: dwmapi.dll.7.dr	Static PE information: section name: .ths
Source: dwmapi.dll.7.dr	Static PE information: section name: .vyfudm
Source: dwmapi.dll.7.dr	Static PE information: section name: .bejn
Source: dwmapi.dll.7.dr	Static PE information: section name: .lxdw
Source: dwmapi.dll.7.dr	Static PE information: section name: .uffn
Source: dwmapi.dll.7.dr	Static PE information: section name: .cbmla
Source: dwmapi.dll.7.dr	Static PE information: section name: .fcy
Source: dwmapi.dll.7.dr	Static PE information: section name: .aady
Source: dwmapi.dll.7.dr	Static PE information: section name: .pqe
Source: dwmapi.dll.7.dr	Static PE information: section name: .zfem
Source: dwmapi.dll.7.dr	Static PE information: section name: .ila
Source: dwmapi.dll.7.dr	Static PE information: section name: .ygqg
Source: dwmapi.dll.7.dr	Static PE information: section name: .onr
Source: dwmapi.dll.7.dr	Static PE information: section name: .brn
Source: dwmapi.dll.7.dr	Static PE information: section name: .zch
Source: dwmapi.dll.7.dr	Static PE information: section name: .yithue
Source: dwmapi.dll.7.dr	Static PE information: section name: .jxyn
Source: dwmapi.dll.7.dr	Static PE information: section name: .bvk
Source: dwmapi.dll.7.dr	Static PE information: section name: .cyr
Source: newdev.dll.7.dr	Static PE information: section name: .qkm
Source: newdev.dll.7.dr	Static PE information: section name: .cvjb
Source: newdev.dll.7.dr	Static PE information: section name: .tlmkv
Source: newdev.dll.7.dr	Static PE information: section name: .wucsxe
Source: newdev.dll.7.dr	Static PE information: section name: .fltwtj
Source: newdev.dll.7.dr	Static PE information: section name: .tblq
Source: newdev.dll.7.dr	Static PE information: section name: .hcmjm
Source: newdev.dll.7.dr	Static PE information: section name: .nagyk
Source: newdev.dll.7.dr	Static PE information: section name: .jrucz
Source: newdev.dll.7.dr	Static PE information: section name: .rnr
Source: newdev.dll.7.dr	Static PE information: section name: .ths
Source: newdev.dll.7.dr	Static PE information: section name: .vyfudm
Source: newdev.dll.7.dr	Static PE information: section name: .bejn
Source: newdev.dll.7.dr	Static PE information: section name: .lxdw
Source: newdev.dll.7.dr	Static PE information: section name: .uffn
Source: newdev.dll.7.dr	Static PE information: section name: .cbmla
Source: newdev.dll.7.dr	Static PE information: section name: .fcy
Source: newdev.dll.7.dr	Static PE information: section name: .aady
Source: newdev.dll.7.dr	Static PE information: section name: .pqe
Source: newdev.dll.7.dr	Static PE information: section name: .zfem
Source: newdev.dll.7.dr	Static PE information: section name: .ila
Source: newdev.dll.7.dr	Static PE information: section name: .ygqg
Source: newdev.dll.7.dr	Static PE information: section name: .onr
Source: newdev.dll.7.dr	Static PE information: section name: .brn
Source: newdev.dll.7.dr	Static PE information: section name: .zch
Source: newdev.dll.7.dr	Static PE information: section name: .yithue
Source: newdev.dll.7.dr	Static PE information: section name: .jxyn
Source: newdev.dll.7.dr	Static PE information: section name: .bvk
Source: newdev.dll.7.dr	Static PE information: section name: .hpnyp
Source: OLEACC.dll.7.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.7.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.7.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.7.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.7.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.7.dr	Static PE information: section name: .tblq
Source: OLEACC.dll.7.dr	Static PE information: section name: .hcmjm
Source: OLEACC.dll.7.dr	Static PE information: section name: .nagyk
Source: OLEACC.dll.7.dr	Static PE information: section name: .jrucz
Source: OLEACC.dll.7.dr	Static PE information: section name: .rnr
Source: OLEACC.dll.7.dr	Static PE information: section name: .ths
Source: OLEACC.dll.7.dr	Static PE information: section name: .vyfudm
Source: OLEACC.dll.7.dr	Static PE information: section name: .bejn
Source: OLEACC.dll.7.dr	Static PE information: section name: .lxdw
Source: OLEACC.dll.7.dr	Static PE information: section name: .uffn
Source: OLEACC.dll.7.dr	Static PE information: section name: .cbmla
Source: OLEACC.dll.7.dr	Static PE information: section name: .fcy
Source: OLEACC.dll.7.dr	Static PE information: section name: .aady
Source: OLEACC.dll.7.dr	Static PE information: section name: .pqe
Source: OLEACC.dll.7.dr	Static PE information: section name: .zfem
Source: OLEACC.dll.7.dr	Static PE information: section name: .ila
Source: OLEACC.dll.7.dr	Static PE information: section name: .ygqg
Source: OLEACC.dll.7.dr	Static PE information: section name: .onr
Source: OLEACC.dll.7.dr	Static PE information: section name: .brn
Source: OLEACC.dll.7.dr	Static PE information: section name: .zch
Source: OLEACC.dll.7.dr	Static PE information: section name: .yithue
Source: OLEACC.dll.7.dr	Static PE information: section name: .jxyn
Source: OLEACC.dll.7.dr	Static PE information: section name: .bvk
Source: OLEACC.dll.7.dr	Static PE information: section name: .oif
Source: MFC42u.dll.7.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.7.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.7.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.7.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.7.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.7.dr	Static PE information: section name: .tblq
Source: MFC42u.dll.7.dr	Static PE information: section name: .hcmjm
Source: MFC42u.dll.7.dr	Static PE information: section name: .nagyk
Source: MFC42u.dll.7.dr	Static PE information: section name: .jrucz
Source: MFC42u.dll.7.dr	Static PE information: section name: .rnr
Source: MFC42u.dll.7.dr	Static PE information: section name: .ths
Source: MFC42u.dll.7.dr	Static PE information: section name: .vyfudm
Source: MFC42u.dll.7.dr	Static PE information: section name: .bejn
Source: MFC42u.dll.7.dr	Static PE information: section name: .lxdw
Source: MFC42u.dll.7.dr	Static PE information: section name: .uffn
Source: MFC42u.dll.7.dr	Static PE information: section name: .cbmla
Source: MFC42u.dll.7.dr	Static PE information: section name: .fcy
Source: MFC42u.dll.7.dr	Static PE information: section name: .aady
Source: MFC42u.dll.7.dr	Static PE information: section name: .pqe
Source: MFC42u.dll.7.dr	Static PE information: section name: .zfem
Source: MFC42u.dll.7.dr	Static PE information: section name: .ila
Source: MFC42u.dll.7.dr	Static PE information: section name: .ygqg
Source: MFC42u.dll.7.dr	Static PE information: section name: .onr
Source: MFC42u.dll.7.dr	Static PE information: section name: .brn
Source: MFC42u.dll.7.dr	Static PE information: section name: .zch
Source: MFC42u.dll.7.dr	Static PE information: section name: .yithue
Source: MFC42u.dll.7.dr	Static PE information: section name: .jxyn
Source: MFC42u.dll.7.dr	Static PE information: section name: .bvk
Source: MFC42u.dll.7.dr	Static PE information: section name: .yjod
Source: VERSION.dll.7.dr	Static PE information: section name: .qkm
Source: VERSION.dll.7.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.7.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.7.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.7.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.7.dr	Static PE information: section name: .tblq
Source: VERSION.dll.7.dr	Static PE information: section name: .hcmjm
Source: VERSION.dll.7.dr	Static PE information: section name: .nagyk
Source: VERSION.dll.7.dr	Static PE information: section name: .jrucz
Source: VERSION.dll.7.dr	Static PE information: section name: .rnr
Source: VERSION.dll.7.dr	Static PE information: section name: .ths
Source: VERSION.dll.7.dr	Static PE information: section name: .vyfudm
Source: VERSION.dll.7.dr	Static PE information: section name: .bejn
Source: VERSION.dll.7.dr	Static PE information: section name: .lxdw
Source: VERSION.dll.7.dr	Static PE information: section name: .uffn
Source: VERSION.dll.7.dr	Static PE information: section name: .cbmla
Source: VERSION.dll.7.dr	Static PE information: section name: .fcy
Source: VERSION.dll.7.dr	Static PE information: section name: .aady
Source: VERSION.dll.7.dr	Static PE information: section name: .pqe
Source: VERSION.dll.7.dr	Static PE information: section name: .zfem
Source: VERSION.dll.7.dr	Static PE information: section name: .ila
Source: VERSION.dll.7.dr	Static PE information: section name: .ygqg
Source: VERSION.dll.7.dr	Static PE information: section name: .onr
Source: VERSION.dll.7.dr	Static PE information: section name: .brn
Source: VERSION.dll.7.dr	Static PE information: section name: .zch
Source: VERSION.dll.7.dr	Static PE information: section name: .yithue
Source: VERSION.dll.7.dr	Static PE information: section name: .jxyn
Source: VERSION.dll.7.dr	Static PE information: section name: .bvk
Source: VERSION.dll.7.dr	Static PE information: section name: .mzo
Source: WINSTA.dll.7.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.7.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.7.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.7.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.7.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.7.dr	Static PE information: section name: .tblq
Source: WINSTA.dll.7.dr	Static PE information: section name: .hcmjm
Source: WINSTA.dll.7.dr	Static PE information: section name: .nagyk
Source: WINSTA.dll.7.dr	Static PE information: section name: .jrucz
Source: WINSTA.dll.7.dr	Static PE information: section name: .rnr
Source: WINSTA.dll.7.dr	Static PE information: section name: .ths
Source: WINSTA.dll.7.dr	Static PE information: section name: .vyfudm
Source: WINSTA.dll.7.dr	Static PE information: section name: .bejn
Source: WINSTA.dll.7.dr	Static PE information: section name: .lxdw
Source: WINSTA.dll.7.dr	Static PE information: section name: .uffn
Source: WINSTA.dll.7.dr	Static PE information: section name: .cbmla
Source: WINSTA.dll.7.dr	Static PE information: section name: .fcy
Source: WINSTA.dll.7.dr	Static PE information: section name: .aady
Source: WINSTA.dll.7.dr	Static PE information: section name: .pqe
Source: WINSTA.dll.7.dr	Static PE information: section name: .zfem
Source: WINSTA.dll.7.dr	Static PE information: section name: .ila
Source: WINSTA.dll.7.dr	Static PE information: section name: .ygqg
Source: WINSTA.dll.7.dr	Static PE information: section name: .onr
Source: WINSTA.dll.7.dr	Static PE information: section name: .brn
Source: WINSTA.dll.7.dr	Static PE information: section name: .zch
Source: WINSTA.dll.7.dr	Static PE information: section name: .yithue
Source: WINSTA.dll.7.dr	Static PE information: section name: .jxyn
Source: WINSTA.dll.7.dr	Static PE information: section name: .bvk
Source: WINSTA.dll.7.dr	Static PE information: section name: .sxl
Source: wer.dll.7.dr	Static PE information: section name: .qkm
Source: wer.dll.7.dr	Static PE information: section name: .cvjb
Source: wer.dll.7.dr	Static PE information: section name: .tlmkv
Source: wer.dll.7.dr	Static PE information: section name: .wucsxe
Source: wer.dll.7.dr	Static PE information: section name: .fltwtj
Source: wer.dll.7.dr	Static PE information: section name: .tblq
Source: wer.dll.7.dr	Static PE information: section name: .hcmjm
Source: wer.dll.7.dr	Static PE information: section name: .nagyk
Source: wer.dll.7.dr	Static PE information: section name: .jrucz
Source: wer.dll.7.dr	Static PE information: section name: .rnr
Source: wer.dll.7.dr	Static PE information: section name: .ths
Source: wer.dll.7.dr	Static PE information: section name: .vyfudm
Source: wer.dll.7.dr	Static PE information: section name: .bejn
Source: wer.dll.7.dr	Static PE information: section name: .lxdw
Source: wer.dll.7.dr	Static PE information: section name: .uffn
Source: wer.dll.7.dr	Static PE information: section name: .cbmla
Source: wer.dll.7.dr	Static PE information: section name: .fcy
Source: wer.dll.7.dr	Static PE information: section name: .aady
Source: wer.dll.7.dr	Static PE information: section name: .pqe
Source: wer.dll.7.dr	Static PE information: section name: .zfem
Source: wer.dll.7.dr	Static PE information: section name: .ila
Source: wer.dll.7.dr	Static PE information: section name: .ygqg
Source: wer.dll.7.dr	Static PE information: section name: .onr
Source: wer.dll.7.dr	Static PE information: section name: .brn
Source: wer.dll.7.dr	Static PE information: section name: .zch
Source: wer.dll.7.dr	Static PE information: section name: .yithue
Source: wer.dll.7.dr	Static PE information: section name: .jxyn
Source: wer.dll.7.dr	Static PE information: section name: .bvk
Source: wer.dll.7.dr	Static PE information: section name: .ilb

Source: rPP7AHsBQt.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1c01f5
Source: WTSAPI32.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd189
Source: wer.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1b7763
Source: WINSTA.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c376e
Source: VERSION.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd771
Source: newdev.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1bd7de
Source: WTSAPI32.dll0.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c06b1
Source: dwmapi.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1b3793
Source: OLEACC.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1be450
Source: MFC42u.dll.7.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1c22ec

Source: RDVGHelper.exe.7.dr

Static PE information: 0x6FC4BD96 [Sun Jun 3 07:02:46 2029 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Show sources

Source: wusa.exe, 0000001C.00000000.380896206.00007FF6D65A7000.00000002.00020000.sdmp

Memory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\v74M\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\v74M\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AzSj\newdev.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\I3GPZ\wbengine.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EC3080 WinSqmSetString,IsIconic,ShowWindow,GetSystemMenu,CheckMenuItem,

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe TID: 6452

Thread sleep count: 32 > 30

Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Last function: Thread delayed

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\I3GPZ\wbengine.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\I3GPZ\wer.dll	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D290 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6591BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D6598D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EB1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,

Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.281611495.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.281611495.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.277518675.0000000006949000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000007.00000000.296064998.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.302670174.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.277518675.0000000006949000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EB8844 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe

Code function: 31_2_00007FF7D7EC80EC InterlockedPushEntrySList,DecodePointer,GetProcessHeap,HeapFree,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787784CE0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Code function: 23_2_00007FF787784AEC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A6830 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Code function: 28_2_00007FF6D65A6AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EE00E0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Code function: 31_2_00007FF7D7EDFCB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1810 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Code function: 36_2_00007FF6EE8A1AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02A808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Code function: 38_2_00007FF61C02AAC0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D6630 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Code function: 41_2_00007FF6159D6340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: WTSAPI32.dll.7.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe

Code function: 23_2_00007FF7877752E0 calloc,CreateWellKnownSid,GetLastError,memset,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,CreateNamedPipeW,GetLastError,CreateEventW,GetLastError,free,LocalFree,

Source: C:\Users\user\AppData\Local\v74M\wusa.exe

Code function: 28_2_00007FF6D6597EE8 AllocateAndInitializeSid,GetLastError,FreeSid,LocalFree,

Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.255120482.0000000001400000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.294630190.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000007.00000000.265136759.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\v74M\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe

Code function: 23_2_00007FF787784E70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\hxqisrGT\sethc.exe

Code function: 38_2_00007FF61C022E44 GetVersionExW,SystemParametersInfoW,GetLastError,memset,GetVersionExW,memset,#460,PathFileExistsW,#65,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Command and Scripting Interpreter12	Valid Accounts1	Valid Accounts1	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Access Token Manipulation11	Valid Accounts1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection313	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation11	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection313	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery25	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Timestomp1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rPP7AHsBQt.dll	60%	Metadefender		Browse
rPP7AHsBQt.dll	76%	ReversingLabs	Win64.Infostealer.Dridex
rPP7AHsBQt.dll	100%	Avira	TR/Crypt.ZPACK.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\I3GPZ\wer.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\QpqMx\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\AzSj\newdev.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.2.wusa.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
23.2.RDVGHelper.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
31.2.Dxpserver.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
36.2.InfDefaultInstall.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.2.sethc.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
41.2.DevicePairingWizard.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.microsoft.coG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000000.298400230.0000000006840000.00000004.00000001.sdmp	false		high
http://schemas.microsoft.coG	explorer.exe, 00000007.00000000.302989833.0000000008CBE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492692
Start date:	28.09.2021
Start time:	22:57:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	rPP7AHsBQt (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@41/19@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 64.5% (good quality ratio 57.4%) Quality average: 83.3% Quality standard deviation: 34%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/492692/sample/rPP7AHsBQt.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe	4CYPSBYNYQ.dll	Get hash	malicious	Browse
	RVoWoXkXlE.dll	Get hash	malicious	Browse
	DC2zX44MQr.dll	Get hash	malicious	Browse
	itB5x2K4T3.dll	Get hash	malicious	Browse
	hR33M29cgO.dll	Get hash	malicious	Browse
	ujc4RSCWM6.dll	Get hash	malicious	Browse
	VJRmwvPkMp.dll	Get hash	malicious	Browse
	zW80EdEp4O.dll	Get hash	malicious	Browse
	BUal7Z7t7a.dll	Get hash	malicious	Browse
	RG2JwdyFZp.dll	Get hash	malicious	Browse
	xmNOO4kr1W.dll	Get hash	malicious	Browse
	J68J8AW3wu.dll	Get hash	malicious	Browse
	eIqCS9Cchl.dll	Get hash	malicious	Browse
	0oSZeHvzK2.dll	Get hash	malicious	Browse
	6mRFq6lDxY.dll	Get hash	malicious	Browse
	hwhmwAJCgs.dll	Get hash	malicious	Browse
	FzIHOw5IB1.dll	Get hash	malicious	Browse
	TBt2yq48s1.dll	Get hash	malicious	Browse
	ElRN8C51mm.dll	Get hash	malicious	Browse
	peUe7aKWzZ.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107008
Entropy (8bit):	6.213211715541241
Encrypted:	false
SSDEEP:	1536:jZPv9YEIT8g15BZNWNBWNK5/FzUJmufD6o6ffv+Difx1P4dirH+Z3sUS+CvilU/s:lPBLBBbWDwff22J1Puq+y+HUk
MD5:	0BF1E2262C95164A0B244174167FBD85
SHA1:	81BD08AD31BF2665F298406F843924588BB7606B
SHA-256:	6B35C354C480D232A96EF73EABA268EF7D94F30A3D3A1161B69081B048A27E29
SHA-512:	FD01664A377359E72A67F52E8DFFDD237E24F8ACC158B3A478F71CAAC1CE2EDDB19B15E1FC66CB73E77DDED564D6A98FD3064BDA20419D8C949505457721BF5C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 4CYPSBYNYQ.dll, Detection: malicious, Browse Filename: RVoWoXkXlE.dll, Detection: malicious, Browse Filename: DC2zX44MQr.dll, Detection: malicious, Browse Filename: itB5x2K4T3.dll, Detection: malicious, Browse Filename: hR33M29cgO.dll, Detection: malicious, Browse Filename: ujc4RSCWM6.dll, Detection: malicious, Browse Filename: VJRmwvPkMp.dll, Detection: malicious, Browse Filename: zW80EdEp4O.dll, Detection: malicious, Browse Filename: BUal7Z7t7a.dll, Detection: malicious, Browse Filename: RG2JwdyFZp.dll, Detection: malicious, Browse Filename: xmNOO4kr1W.dll, Detection: malicious, Browse Filename: J68J8AW3wu.dll, Detection: malicious, Browse Filename: eIqCS9Cchl.dll, Detection: malicious, Browse Filename: 0oSZeHvzK2.dll, Detection: malicious, Browse Filename: 6mRFq6lDxY.dll, Detection: malicious, Browse Filename: hwhmwAJCgs.dll, Detection: malicious, Browse Filename: FzIHOw5IB1.dll, Detection: malicious, Browse Filename: TBt2yq48s1.dll, Detection: malicious, Browse Filename: ElRN8C51mm.dll, Detection: malicious, Browse Filename: peUe7aKWzZ.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..................g......g......g......g...........g......g.w....g......Rich...................PE..d......o.........."......B...b......`G.........@..........................................`.......... ..........................................................T...............$.......T............................g...............h...............................text....@.......B.................. ..`.rdata...A...`...B...F..............@..@.data...............................@....pdata..T...........................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2YZyR\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.12006401986381
Encrypted:	false
SSDEEP:	12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	00AED0EC34CFF50E3619BF8D25D97B52
SHA1:	DBFAC54FBF1A32D749AA02C0BE92943FCEB27847
SHA-256:	F4DF23DDEDE2B0C6EAFE9CDD3B02A701F433CBCCD30E9E75D2F8B6E767C56D1B
SHA-512:	4F32E6C34262317DBDB0DCA25C62788AAE5F8E179A663DE0414F4EEE80BEAEB9E11B32FE6DBD00129896989ECB6D82A7F22D17EC5F301067860649DA6FFAF1F4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	5.920357039114308
Encrypted:	false
SSDEEP:	6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
MD5:	DCCB1D350193BE0A26CEAFF602DB848E
SHA1:	02673E7070A589B5BF6F217558A06067B388A350
SHA-256:	367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
SHA-512:	ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....\|.N...L.\|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................\|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\30KRxXoL\dwmapi.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.118074670013424
Encrypted:	false
SSDEEP:	12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	120EA6047784304E8B9D9B314F5A5F7A
SHA1:	D5AB85335BDF4D948E00BCE3FF956AE83290CB8F
SHA-256:	E2A042740FCFBFCFD12B5D4F078BD806A24BC434F01B881F3DB799AE72564AC6
SHA-512:	763498B2F8F4B1861E7AF7BC89488D3492FECF60A3175CAFEED5F3C5B4002C1266D22F28694D146CC075760BCF05324B9756255140D1AD697838692B3AB40D7E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	5.664138088677901
Encrypted:	false
SSDEEP:	1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3
MD5:	E23643C785D498FF73B5C9D7EA173C3D
SHA1:	56296F1D29FC2DCBFAA1D991C87B10968C6D3882
SHA-256:	40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
SHA-512:	22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a...h...o......b......r......i......j...a..........c.....j.`......`...Richa...................PE..d...x.1".........."......\...........b.........@.....................................H....`.......... ..............................................................................\|..T...........................`r..............`s..8............................text....[.......\.................. ..`.rdata...-...p.......`..............@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\9Q3FqD\MFC42u.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1806336
Entropy (8bit):	4.151016544012089
Encrypted:	false
SSDEEP:	12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Mh:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	3F5481C3CF2BB7FAAFEEFB882A08F15D
SHA1:	B4FB8B3B5DE6F799F30A7B16D69D7B14A8A99119
SHA-256:	A20E653ECB06D68CF4D410F1BF596E0D924ADC851E8287E140427D6382F9601D
SHA-512:	7115E2589D5195D04556909B122FDE4AC1B803343005159B274644535580F6A166C3CA16881DE70CBBE53E2F498FE27538786A129D52AE28B42089F4A3EBFDD1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." .........p......p..........@....................................@lx}..b.......................................... ...l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.871127662725052
Encrypted:	false
SSDEEP:	192:kXe0PT5V21py9AA/lvmBfXWqFwO6Wdz3ios9aW/GW:kXe5pgAMhAXWq6OFZcaW/GW
MD5:	5FDB30927E9D4387D777443BF865EEFD
SHA1:	E802BE85298183F050141EAEB87930657A8E07A6
SHA-256:	C57CE112AB04B00CC7270B6D76F005FFB8E2ED3ADC6904CF5C5F184EE077FA32
SHA-512:	776F5B5640C22373E641DE4C3C6F4C7DFF0CD39662108B8DFA070EE0A867B3A6401976BD2B78BC766D469105AF2E6E466C4140FFE40C49146BB6B09591676773
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............mo..mo..mo..j..mo..l..mo..k..mo..n..mo..mn..mo..g..mo.....mo..m..mo.Rich.mo.........PE..d......K.........."..........&......@..........@.............................p......?:....`.......... .......................................&.......P.......@...............`.. ....#..T............................ ...............!...............................text...@........................... ..`.rdata....... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....`.......2..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AzSj\newdev.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.114146296909227
Encrypted:	false
SSDEEP:	12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	D3B5C0D22ED8729DA2FAD2B5D1E5932A
SHA1:	66679B519C5CB18C370DA672A9FC16A76CEEA6E7
SHA-256:	CFE9832E3DD1A7E2FEDAB63B25CB7C8EB95EFF8A0D5607B7D54C97258350EC7B
SHA-512:	9D2A70ECA5CDECE764EDFAE3D6C71B9D61E582469EDE505555068DBEF0FF006694550C7E653513C98BCC3B6363B8BD0549C8AB6B7159E08296845C64CED05367
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..]....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\CDG6Inqi\VERSION.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.112814429004735
Encrypted:	false
SSDEEP:	12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	422CF18F068925A7705B12D5EAB257B2
SHA1:	4E1B2934052304DABEC01A71EAD49AEFE67E7D12
SHA-256:	06778AE98D60D4D961C551CA1004830899F54BE06226E2249BF547F930BA43E1
SHA-512:	FEE21A47E88855116FE44A021F6F5BD4524568941FA54A552E857951E08A27E0869F102A45608AFB56C17D1120EA69116B5E0DF41DFF8FFD8002FB7FD0A0D4C7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... ..+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\CDG6Inqi\wscript.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	5.729539450068024
Encrypted:	false
SSDEEP:	1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
SHA1:	2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
SHA-256:	62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
SHA-512:	156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\I3GPZ\wbengine.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1535488
Entropy (8bit):	6.5079506357027785
Encrypted:	false
SSDEEP:	24576:UgSNpxTPrVDqUtzohGP5ilEI1T4N9sS4aC+369riDQMbbKoLtHWwtPJhVx8OIC9h:UtNpxTPrVuUtMhGRuEAc3sfaYhiDXmod
MD5:	6E235F75DF84C387388D23D697D6540B
SHA1:	A97DE324726F3ECBA383863CB643E4AD5DADB4DC
SHA-256:	7113DD02243E9368EF3265CF5A7F991F9B4D69CAB70B1A446062F8DD714AFC8E
SHA-512:	F294A7F7AD6FAD1E2F2E82123AFB78B76E56C603EF3FA37CDD73992DE91640EB55E2F002072DD57B850B1D7E9162F49B4DE973CFE71DF35DAD958B439E1F287A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|r..\|r..\|r..q..\|r..v..\|r..w..\|r..s..\|r..\|s..}r..{.M\|r..r..\|r.....\|r..p..\|r.Rich.\|r.........................PE..d...!............"..........z......p..........@.....................................v....`.......... .........................................\|............ ...u..................@...T....................=..(....<..............(=...............................text............................... ..`.rdata..b.... ......................@..@.data....&..........................@....pdata...u... ...v..................@..@.rsrc................Z..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\I3GPZ\wer.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1785856
Entropy (8bit):	4.122378222596304
Encrypted:	false
SSDEEP:	12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6D04485BF586C674E145F2F40AB3C577
SHA1:	12065B852C5AAD44370755290123E4EEC3A0BFBA
SHA-256:	CC04B9DE9881C5F6B5B320AAE8CB4DE4CE2C7C32F8BBEC92C72DAD59F59685EE
SHA-512:	959D86E8CCB86137AA97F58C7B8424764EC0DEB524809505AFEF170097801389F78415AE4FDB439C3D2815D2BE797959FBF6DE15C48A18312D9C3723667D2C99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ......... ......p..........@.............................@......@lx}..b.......................................... ..W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\QpqMx\RdpSaUacHelper.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29184
Entropy (8bit):	5.483991269470949
Encrypted:	false
SSDEEP:	384:x1i6wkbsVQCy+MmItEV3DAOnKjXxyWzyWpaTeinj7qHk9FyMWagW:x1TwgsmCRMmIcTRnKbQW/kj7uk2U
MD5:	DA88A7B872B1A52F2465D12CFBA4EDAB
SHA1:	8421C2A12DFF33B827E8A6F942C2C87082D933DB
SHA-256:	6A97CF791352C68EFFEFCBE3BB23357A76D93CB51D08543ED993210C56782627
SHA-512:	CA96D8D423235E013B228D05961ED5AA347D25736F8DFC4C7FEB81BFA5A1193D013CD29AA027E1793D6835E52F6557B3491520D56DE7C09F0165F1D5C8FD9ED8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......& ..bA..bA..bA..k9..`A...%..cA...%..`A...%..pA...%..uA..bA...A...%..hA...%p.cA...%..cA..RichbA..........PE..d...?.1V.........."......6...>...... =.........@.....................................f....`.......... ......................................4k.......................................f..T............................U...............V...............................text....4.......6.................. ..`.rdata...'...P...(...:..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\QpqMx\WINSTA.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1785856
Entropy (8bit):	4.130571614423483
Encrypted:	false
SSDEEP:	12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	5343AEA48CE4722D13097BBF228724E0
SHA1:	D2FA1C270C847B97C8C170C4D7EA2D80470600F7
SHA-256:	819E3D7921B463B88EBB76E6C7C97880A6CCFD5F4F530A4F707EC4D1B2143D7B
SHA-512:	322512540578740AF0AC1C4959B288A08B0CFB820FBE94852BB3F165A05A433911F92B8CAE10FEF67F973F53D5A8919954540D062E6B5A53CC67956438CBF35F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ......... ......p..........@.............................@......@lx}..b.......................................... ..m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\hxqisrGT\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.1144286325107045
Encrypted:	false
SSDEEP:	12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	40558B8832E21854D8782294C56CFF29
SHA1:	C0D4D63CF9B0803AA202861D6C6767E8C6DAB11D
SHA-256:	9201A707728F3D83E5787741F4FF978AF65DC004E85A51B0851B9DA53A4DA2DE
SHA-512:	8886F06A86DFD0F30DCC07E9179F68003EDEC537597BE16F36EC74750F95F2A21908F04F139FB09EC63F4C207599657D784026E6E07E78C48435F220E08EDD4D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\hxqisrGT\sethc.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	284160
Entropy (8bit):	6.85709982153028
Encrypted:	false
SSDEEP:	6144:z1dgUn5C1AlGr66uFz2LJGRg4kLNnei36cw:XiKFCdUc
MD5:	1C0BF0B710016600C9D9F23CC7103C0A
SHA1:	EFA944D43F76AEA0C72A5C7FB3240ADC55E7DAE8
SHA-256:	AEA110EE0865635EE764B1B40409DB3A3165E57EFFF4CAF942BCD8982F3063C5
SHA-512:	775F075A9D43A887B1AFB000E5E2CBC8EF514C4B1864C694977342307C61173DACC5BA8E5D47002870687B24914B3E6D2D0EB48BF99517822511A8BA2A122515
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r../6q.\|6q.\|6q.\|Y..}5q.\|Y..} q.\|Y..}1q.\|Y..}-q.\|6q.\|8p.\|Y..}$q.\|Y.[\|7q.\|Y..}7q.\|Rich6q.\|........................PE..d.... ............"............................@..........................................`.......... ......................................P........`..h'...P..................x.......T...........................0...............0................................text............................... ..`.rdata...j.......l..................@..@.data...8....0......................@....pdata.......P.......$..............@..@.rsrc...h'...`...(...,..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\v74M\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	4.120050321896044
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	9DDB78BD96C660A463481D09DD4F4564
SHA1:	1A01B02E0E8DD5E040EA22DDB751B8A0052823C1
SHA-256:	24D3AB5E4FD539E035CEB9FE4311C0F8DC19FEEE0C07C08429CAD81FEB386D19
SHA-512:	172A2B8CB9E650BBFF677263567B68132514BD23E2B21101037819A54F1B41B9A2983DA37D101B69E8A110C667CCB9A66DA00722A94F9DE4DBE79486D8D90812
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.#..DN^.........." ................p..........@.............................0......@lx}..b.......................................... .......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\v74M\wusa.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	308736
Entropy (8bit):	6.55894801361276
Encrypted:	false
SSDEEP:	6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
MD5:	04CE745559916B99248F266BBF5F9ED9
SHA1:	76FA00103A89C735573D1D8946D8787A839475B6
SHA-256:	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
SHA-512:	B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4462
Entropy (8bit):	5.464123225028128
Encrypted:	false
SSDEEP:	48:eq8hbUtZS9Ok9c3cIz2XwQ8KdIoiIEOBAUq8hbU0C1Dtm+7bHjGo973/YVFJ:eV5iZL3d6F8mfNV59C1DtbPao9wVFJ
MD5:	AB09C0D653A04FE6626151A759C9807C
SHA1:	B672006CC0146E3408482C264F8C01EEAAA62843
SHA-256:	9BCAEE6BF895589362D63560EA6B703BDA67147311A2FABCDB1590FC19E09C09
SHA-512:	451CA012C1DB77B533FCAA32D7AEB6F2103621AE5855CFC15E7533500643AC7438A11437656486B9C06B0D00A63DF5D5AB28F0C99A9B0915C0BD57CF696BCBF2
Malicious:	false
Preview:	........................................user.........................................user.....................RSA1................9.h.U.......sr.k.....JAS..7#.Qt...{.....E.{./.O.........oO..pu..w.\R^._w.....k.....=5.c\IG.7E5@me...n....d."..bNd....x.S.....................z..O.......F..yQ.C..8..m......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...F.j5.._Z.LuT...OTfb...f.Q................ ..._1.S...]F.r..)..C[..N^.fxT.]N..........y.9..~...1...%.$.l<.5....2....z..Q.....#./..$4.......6...d[....Z?.D@..=.7.[....\......sU^.33.]\|....G..Tr...t.'&....f.f. .........g1..4....R...t0a.V.....rm.dZ....<..o..k;....us!.\|... .RM......r..A.>8%.q....Q..."...o.........0..-O.E........vU...;..._:`..+.:.......!.......G_......k._/.<..KP..n.3F..<.......o.+..... .&.tUx..>0.&..`Ar.,...\l..=..8.Y..#......I ..'.k4.W..(........."DQd.5G...-4.%{z.N..`...r..n......nF...x.8..1~..p`.s-...9.........=3..".E..E...)...VU.J.<o...?.z.g...`bt..K..D....G....\|..

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	4.124181284517686
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	rPP7AHsBQt.dll
File size:	1777664
MD5:	6966f6e2c68c1f536d63b50bb966c031
SHA1:	c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256:	67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
SHA512:	365cefcf86f2d1b12e59d819c3dda9733003592a6a3cbf010b15d543547f2de2038dc659301a3f454881b76c644d929bb24c382bb70b349a621f95047457c19f
SSDEEP:	12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007F6210C4591Fh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007F6210C458FEh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1b1010	0x597	.bvk
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64fd0	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tblq	0x110000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hcmjm	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nagyk	0x157000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jrucz	0x158000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rnr	0x159000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ths	0x15a000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vyfudm	0x15b000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bejn	0x15c000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lxdw	0x15d000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uffn	0x15e000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cbmla	0x15f000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fcy	0x160000	0x451c2	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.aady	0x1a6000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pqe	0x1a7000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zfem	0x1a9000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ila	0x1aa000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ygqg	0x1ab000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.onr	0x1ac000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.brn	0x1ad000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zch	0x1ae000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yithue	0x1af000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jxyn	0x1b0000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bvk	0x1b1000	0x5a7	0x1000	False	0.189453125	data	2.59802364405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
HidD_FlushQueue	1	0x14002b8a8
HidD_FreePreparsedData	2	0x14000f194
HidD_GetAttributes	3	0x14001cf34
HidD_GetConfiguration	4	0x14002d17c
HidD_GetFeature	5	0x140011ca4
HidD_GetHidGuid	6	0x140022f50
HidD_GetIndexedString	7	0x140005078
HidD_GetInputReport	8	0x14001a15c
HidD_GetManufacturerString	9	0x1400145b8
HidD_GetMsGenreDescriptor	10	0x140037ee0
HidD_GetNumInputBuffers	11	0x1400343e4
HidD_GetPhysicalDescriptor	12	0x140027ab0
HidD_GetPreparsedData	13	0x140034084
HidD_GetProductString	14	0x140027d6c
HidD_GetSerialNumberString	15	0x140035988
HidD_Hello	16	0x140033514
HidD_SetConfiguration	17	0x140032248
HidD_SetFeature	18	0x140020ee8
HidD_SetNumInputBuffers	19	0x140030554
HidD_SetOutputReport	20	0x1400156f4
HidP_GetButtonCaps	21	0x1400193b8
HidP_GetCaps	22	0x140039ad0
HidP_GetData	23	0x14002bd24
HidP_GetExtendedAttributes	24	0x14001ee98
HidP_GetLinkCollectionNodes	25	0x140039404
HidP_GetScaledUsageValue	26	0x14003af70
HidP_GetSpecificButtonCaps	27	0x14001f3dc
HidP_GetSpecificValueCaps	28	0x1400145b8
HidP_GetUsageValue	29	0x140004204
HidP_GetUsageValueArray	30	0x140037e78
HidP_GetUsages	31	0x1400066c8
HidP_GetUsagesEx	32	0x14002c62c
HidP_GetValueCaps	33	0x1400095a4
HidP_InitializeReportForID	34	0x1400143e0
HidP_MaxDataListLength	35	0x140020fbc
HidP_MaxUsageListLength	36	0x140006430
HidP_SetData	37	0x14002e6f4
HidP_SetScaledUsageValue	38	0x1400135d8
HidP_SetUsageValue	39	0x140011438
HidP_SetUsageValueArray	40	0x14001368c
HidP_SetUsages	41	0x140004f24
HidP_TranslateUsagesToI8042ScanCodes	42	0x14000d920
HidP_UnsetUsages	43	0x14001adc0
HidP_UsageListDifference	44	0x14001e5b8

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 22:58:31.326572895 CEST	61242	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:58:31.347534895 CEST	53	61242	8.8.8.8	192.168.2.7
Sep 28, 2021 22:58:44.796044111 CEST	58562	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:58:44.823921919 CEST	53	58562	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:03.568806887 CEST	56590	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:03.596216917 CEST	53	56590	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:35.400859118 CEST	60501	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:35.435148001 CEST	53	60501	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.148283005 CEST	53775	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.175223112 CEST	53	53775	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.242753029 CEST	51837	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.274801970 CEST	53	51837	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:36.888098955 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:36.913045883 CEST	53	55411	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:37.426076889 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:37.480443001 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:38.216819048 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:38.236216068 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:38.768949986 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:38.790724993 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:39.499053001 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:39.518876076 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:40.348454952 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:40.392605066 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:41.128099918 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:41.147383928 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:41.619390965 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:41.638657093 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 28, 2021 22:59:42.464898109 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 28, 2021 22:59:42.485603094 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 28, 2021 23:00:24.683839083 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:00:24.720098972 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 28, 2021 23:00:31.477318048 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:00:31.512187958 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 28, 2021 23:01:00.877557039 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 28, 2021 23:01:00.896600962 CEST	53	52914	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 5548 Parent PID: 3316

General

Start time:	22:58:35
Start date:	28/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll'
Imagebase:	0x7ff7ea5b0000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.273240568.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exe PID: 4312 Parent PID: 5548

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Imagebase:	0x7ff7bf140000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2716 Parent PID: 5548

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FlushQueue
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.346721215.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5560 Parent PID: 4312

General

Start time:	22:58:36
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\rPP7AHsBQt.dll',#1
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.252486367.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: explorer.exe PID: 3292 Parent PID: 2716

General

Start time:	22:58:38
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 1748 Parent PID: 5548

General

Start time:	22:58:39
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_FreePreparsedData
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.259769048.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5480 Parent PID: 5548

General

Start time:	22:58:43
Start date:	28/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\rPP7AHsBQt.dll,HidD_GetAttributes
Imagebase:	0x7ff60f080000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.266794445.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: RDVGHelper.exe PID: 6456 Parent PID: 3292

General

Start time:	22:59:23
Start date:	28/09/2021
Path:	C:\Windows\System32\RDVGHelper.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RDVGHelper.exe
Imagebase:	0x7ff7f5b00000
File size:	107008 bytes
MD5 hash:	0BF1E2262C95164A0B244174167FBD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: RDVGHelper.exe PID: 6464 Parent PID: 3292

General

Start time:	22:59:24
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\2YZyR\RDVGHelper.exe
Imagebase:	0x7ff787770000
File size:	107008 bytes
MD5 hash:	0BF1E2262C95164A0B244174167FBD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.375513310.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: wusa.exe PID: 6884 Parent PID: 3292

General

Start time:	22:59:36
Start date:	28/09/2021
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wusa.exe
Imagebase:	0x7ff6d6a20000
File size:	308736 bytes
MD5 hash:	04CE745559916B99248F266BBF5F9ED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wusa.exe PID: 6940 Parent PID: 3292

General

Start time:	22:59:37
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\v74M\wusa.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\v74M\wusa.exe
Imagebase:	0x7ff6d6590000
File size:	308736 bytes
MD5 hash:	04CE745559916B99248F266BBF5F9ED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.402645228.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: Dxpserver.exe PID: 3476 Parent PID: 3292

General

Start time:	22:59:50
Start date:	28/09/2021
Path:	C:\Windows\System32\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Dxpserver.exe
Imagebase:	0x7ff639f30000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: Dxpserver.exe PID: 4116 Parent PID: 3292

General

Start time:	22:59:52
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\30KRxXoL\Dxpserver.exe
Imagebase:	0x7ff7d7eb0000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.434908663.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: InfDefaultInstall.exe PID: 6700 Parent PID: 3292

General

Start time:	23:00:03
Start date:	28/09/2021
Path:	C:\Windows\System32\InfDefaultInstall.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\InfDefaultInstall.exe
Imagebase:	0x7ff703950000
File size:	13312 bytes
MD5 hash:	5FDB30927E9D4387D777443BF865EEFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: InfDefaultInstall.exe PID: 6708 Parent PID: 3292

General

Start time:	23:00:04
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\AzSj\InfDefaultInstall.exe
Imagebase:	0x7ff6ee8a0000
File size:	13312 bytes
MD5 hash:	5FDB30927E9D4387D777443BF865EEFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.460431340.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: sethc.exe PID: 7036 Parent PID: 3292

General

Start time:	23:00:16
Start date:	28/09/2021
Path:	C:\Windows\System32\sethc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sethc.exe
Imagebase:	0x7ff64dfa0000
File size:	284160 bytes
MD5 hash:	1C0BF0B710016600C9D9F23CC7103C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sethc.exe PID: 7068 Parent PID: 3292

General

Start time:	23:00:16
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\hxqisrGT\sethc.exe
Imagebase:	0x7ff61c020000
File size:	284160 bytes
MD5 hash:	1C0BF0B710016600C9D9F23CC7103C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.487070134.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: DevicePairingWizard.exe PID: 6340 Parent PID: 3292

General

Start time:	23:00:30
Start date:	28/09/2021
Path:	C:\Windows\System32\DevicePairingWizard.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DevicePairingWizard.exe
Imagebase:	0x7ff61e4c0000
File size:	92160 bytes
MD5 hash:	E23643C785D498FF73B5C9D7EA173C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: DevicePairingWizard.exe PID: 5596 Parent PID: 3292

General

Start time:	23:00:37
Start date:	28/09/2021
Path:	C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\9Q3FqD\DevicePairingWizard.exe
Imagebase:	0x7ff6159d0000
File size:	92160 bytes
MD5 hash:	E23643C785D498FF73B5C9D7EA173C3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.533624086.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report rPP7AHsBQt

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior