Windows Analysis Report PSnPApRPsG

Overview

General Information

Sample Name: PSnPApRPsG (renamed file extension from none to dll)
Analysis ID: 492695
MD5: ed37656551984cf5c1196d88c282e4aa
SHA1: 1475e0b8fd14a3a13160dc8ab28d228f3027c8b9
SHA256: 4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PSnPApRPsG.dll ReversingLabs: Detection: 80%
Antivirus / Scanner detection for submitted sample
Source: PSnPApRPsG.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\a5Q9CELTE\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\br5u0t\WINMM.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\YaR\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Tp5KLY\XmlLite.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\TQbOBk\DUser.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\a5Q9CELTE\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\72PXeqK\TAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\nmYaGulOu\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\HtmF\credui.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\hUhx9Ta\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: PSnPApRPsG.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\a5Q9CELTE\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\br5u0t\WINMM.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\YaR\MFC42u.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Tp5KLY\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\TQbOBk\DUser.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\a5Q9CELTE\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\72PXeqK\TAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\nmYaGulOu\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\HtmF\credui.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\hUhx9Ta\WINSTA.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677471AC4 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext, 20_2_00007FF677471AC4
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1DF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext, 23_2_00007FF6EDB1DF30
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C03CE10 memset,memcpy,BCryptEncrypt,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 29_2_00007FF70C03CE10
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C032A04 BCryptDecrypt,memset,BCryptDecrypt,memcpy,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 29_2_00007FF70C032A04
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C032E8C BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,CoTaskMemFree, 29_2_00007FF70C032E8C
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C03CC10 BCryptGenRandom,memcpy,BCryptEncrypt,memcpy,BCryptEncrypt, 29_2_00007FF70C03CC10
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C032CA0 BCryptOpenAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree, 29_2_00007FF70C032CA0
Source: PSnPApRPsG.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe, 00000014.00000000.796651470.00007FF677475000.00000002.00020000.sdmp
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 0000001D.00000002.933995077.00007FF70C042000.00000002.00020000.sdmp
Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000012.00000000.769914241.00007FF708133000.00000002.00020000.sdmp
Source: Binary string: psr.pdbGCTL source: psr.exe, 0000001F.00000000.933928652.00007FF631DDC000.00000002.00020000.sdmp, psr.exe, 00000021.00000002.984523696.00007FF6A2D9C000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 0000001A.00000000.863440344.00007FF7A2AF9000.00000002.00020000.sdmp
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000017.00000002.855099641.00007FF6EDB38000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 0000001A.00000000.863440344.00007FF7A2AF9000.00000002.00020000.sdmp
Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000028.00000002.1084790071.00007FF7B1F46000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000024.00000002.1020091961.00007FF70E3F6000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000024.00000002.1020091961.00007FF70E3F6000.00000002.00020000.sdmp
Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000026.00000002.1057768214.00007FF621237000.00000002.00020000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe, 00000014.00000000.796651470.00007FF677475000.00000002.00020000.sdmp
Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000012.00000000.769914241.00007FF708133000.00000002.00020000.sdmp
Source: Binary string: psr.pdb source: psr.exe, 0000001F.00000000.933928652.00007FF631DDC000.00000002.00020000.sdmp, psr.exe, 00000021.00000002.984523696.00007FF6A2D9C000.00000002.00020000.sdmp
Source: Binary string: msdt.pdb source: msdt.exe, 00000017.00000002.855099641.00007FF6EDB38000.00000002.00020000.sdmp
Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000028.00000002.1084790071.00007FF7B1F46000.00000002.00020000.sdmp
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 0000001D.00000002.933995077.00007FF70C042000.00000002.00020000.sdmp
Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000026.00000002.1057768214.00007FF621237000.00000002.00020000.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB16720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB16720
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2A65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB2A65C
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2BD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB2BD48
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB17784
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB12770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB12770
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB16494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB16494
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB17C3C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC7A2C memset,PathCombineW,FindFirstFileW,GetLastError,PathCombineW,FindClose, 31_2_00007FF631DC7A2C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD15A8 GlobalAlloc,CharLowerA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,FindNextFileA,FindNextFileA,FindClose,GlobalLock,GlobalUnlock,GlobalLock,GlobalUnlock,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,lstrlenA,lstrlenA,GlobalFree, 31_2_00007FF631DD15A8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD1168 memset,lstrlenA,lstrlenA,lstrlenA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,FindNextFileA,lstrcmpA,lstrcmpA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 31_2_00007FF631DD1168
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D87A2C memset,PathCombineW,FindFirstFileW,GetLastError,PathCombineW,FindClose, 33_2_00007FF6A2D87A2C
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D915A8 GlobalAlloc,CharLowerA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,FindNextFileA,FindNextFileA,FindClose,GlobalLock,GlobalUnlock,GlobalLock,GlobalUnlock,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,lstrlenA,lstrlenA,GlobalFree, 33_2_00007FF6A2D915A8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D91168 memset,lstrlenA,lstrlenA,lstrlenA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,FindNextFileA,lstrcmpA,lstrcmpA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 33_2_00007FF6A2D91168
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F44518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError, 40_2_00007FF7B1F44518

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB13120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 23_2_00007FF6EDB13120

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000005.00000002.677061553.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.691449064.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1082755771.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.846583663.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.1056321571.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.818480177.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.982719749.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.955848713.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.761772602.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.791585057.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.885485800.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1017398501.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.924400956.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.684710947.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.698738573.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034870 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035270 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140065B80 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400524B0 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026CC0 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004BD40 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400495B0 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036F30 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069010 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001010 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140066020 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F840 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D850 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064080 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140010880 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400688A0 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D0D0 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400018D0 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016100 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D100 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A110 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D910 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140015120 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000B120 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F940 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140039140 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023140 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057950 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001E170 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140002980 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400611A0 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400389A0 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400381A0 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E1B0 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400139D0 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400319F0 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EA00 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022A00 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003B220 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140067A40 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069A50 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007A60 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003AAC0 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A2E0 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140062B00 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018300 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FB20 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031340 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022340 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017B40 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000BB40 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004EB60 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005370 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002CB80 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B390 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140054BA0 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033BB0 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400263C0 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400123C0 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063BD0 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400663F0 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023BF0 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B41B 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B424 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B42D 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B436 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B43D 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024440 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005C40 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B446 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005F490 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022D00 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035520 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019D20 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030530 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023530 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031540 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033540 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014007BD50 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140078570 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019580 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400205A0 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025DB0 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140071DC0 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000C5C0 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002DDE0 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031DF0 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000DDF0 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001620 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018630 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032650 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064E80 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016E80 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007EA0 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400286B0 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006EB0 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400276C0 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FEC0 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EED0 1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002B6E0 1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053F20 1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022730 1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029780 1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018F80 1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003EFB0 1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400067B0 1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400667D0 1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140060FE0 1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Code function: 18_2_00007FF708131A38 18_2_00007FF708131A38
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774727F8 20_2_00007FF6774727F8
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677471180 20_2_00007FF677471180
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677471BF4 20_2_00007FF677471BF4
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0C6FC 23_2_00007FF6EDB0C6FC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17F18 23_2_00007FF6EDB17F18
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0A6A4 23_2_00007FF6EDB0A6A4
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF5678 23_2_00007FF6EDAF5678
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF9678 23_2_00007FF6EDAF9678
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB31E04 23_2_00007FF6EDB31E04
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0D618 23_2_00007FF6EDB0D618
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2E5CC 23_2_00007FF6EDB2E5CC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB15DEC 23_2_00007FF6EDB15DEC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1AD3C 23_2_00007FF6EDB1AD3C
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0C0E4 23_2_00007FF6EDB0C0E4
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB080F8 23_2_00007FF6EDB080F8
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1C878 23_2_00007FF6EDB1C878
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB12050 23_2_00007FF6EDB12050
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB297D8 23_2_00007FF6EDB297D8
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB137E0 23_2_00007FF6EDB137E0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17784 23_2_00007FF6EDB17784
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB06AF0 23_2_00007FF6EDB06AF0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAFBAEC 23_2_00007FF6EDAFBAEC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB02300 23_2_00007FF6EDB02300
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB352B0 23_2_00007FF6EDB352B0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0CA38 23_2_00007FF6EDB0CA38
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1BA58 23_2_00007FF6EDB1BA58
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1D25C 23_2_00007FF6EDB1D25C
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF99D8 23_2_00007FF6EDAF99D8
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB219B8 23_2_00007FF6EDB219B8
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB06150 23_2_00007FF6EDB06150
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1B1A4 23_2_00007FF6EDB1B1A4
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF69B0 23_2_00007FF6EDAF69B0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF7D18 23_2_00007FF6EDAF7D18
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0F4DC 23_2_00007FF6EDB0F4DC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1CCE8 23_2_00007FF6EDB1CCE8
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2D440 23_2_00007FF6EDB2D440
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB13440 23_2_00007FF6EDB13440
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1FBEC 23_2_00007FF6EDB1FBEC
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF6360 23_2_00007FF6EDAF6360
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAFFB90 23_2_00007FF6EDAFFB90
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB12360 23_2_00007FF6EDB12360
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF3364 26_2_00007FF7A2AF3364
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF6640 26_2_00007FF7A2AF6640
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF2264 26_2_00007FF7A2AF2264
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C039530 29_2_00007FF70C039530
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C01913C 29_2_00007FF70C01913C
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C024158 29_2_00007FF70C024158
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C034960 29_2_00007FF70C034960
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C0245BC 29_2_00007FF70C0245BC
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C03B260 29_2_00007FF70C03B260
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C029A7C 29_2_00007FF70C029A7C
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C03D6B0 29_2_00007FF70C03D6B0
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C0292C0 29_2_00007FF70C0292C0
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C015B08 29_2_00007FF70C015B08
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C039F38 29_2_00007FF70C039F38
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C02CF68 29_2_00007FF70C02CF68
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C028408 29_2_00007FF70C028408
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C037400 29_2_00007FF70C037400
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C030800 29_2_00007FF70C030800
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C021018 29_2_00007FF70C021018
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C01B868 29_2_00007FF70C01B868
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C01F0B4 29_2_00007FF70C01F0B4
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C02ECB8 29_2_00007FF70C02ECB8
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C03A8E0 29_2_00007FF70C03A8E0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC3B24 31_2_00007FF631DC3B24
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DCAF20 31_2_00007FF631DCAF20
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC86E8 31_2_00007FF631DC86E8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB8AC0 31_2_00007FF631DB8AC0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB32C4 31_2_00007FF631DB32C4
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD02D0 31_2_00007FF631DD02D0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DCE678 31_2_00007FF631DCE678
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD2DD8 31_2_00007FF631DD2DD8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DBD9A0 31_2_00007FF631DBD9A0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DCCDA8 31_2_00007FF631DCCDA8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC9144 31_2_00007FF631DC9144
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD310C 31_2_00007FF631DD310C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DBE0C0 31_2_00007FF631DBE0C0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC3CA0 31_2_00007FF631DC3CA0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC8C98 31_2_00007FF631DC8C98
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC6840 31_2_00007FF631DC6840
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC4420 31_2_00007FF631DC4420
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC8428 31_2_00007FF631DC8428
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD2004 31_2_00007FF631DD2004
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC4BD8 31_2_00007FF631DC4BD8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC3FC4 31_2_00007FF631DC3FC4
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB73C8 31_2_00007FF631DB73C8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC5388 31_2_00007FF631DC5388
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB4B8C 31_2_00007FF631DB4B8C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB9770 31_2_00007FF631DB9770
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB7F44 31_2_00007FF631DB7F44
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D84420 33_2_00007FF6A2D84420
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D88428 33_2_00007FF6A2D88428
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D92004 33_2_00007FF6A2D92004
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D84BD8 33_2_00007FF6A2D84BD8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D83FC4 33_2_00007FF6A2D83FC4
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D773C8 33_2_00007FF6A2D773C8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D74B8C 33_2_00007FF6A2D74B8C
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D85388 33_2_00007FF6A2D85388
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D79770 33_2_00007FF6A2D79770
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D77F44 33_2_00007FF6A2D77F44
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D9310C 33_2_00007FF6A2D9310C
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D7E0C0 33_2_00007FF6A2D7E0C0
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D88C98 33_2_00007FF6A2D88C98
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D83CA0 33_2_00007FF6A2D83CA0
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D86840 33_2_00007FF6A2D86840
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D92DD8 33_2_00007FF6A2D92DD8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D7D9A0 33_2_00007FF6A2D7D9A0
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D8CDA8 33_2_00007FF6A2D8CDA8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D89144 33_2_00007FF6A2D89144
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D8AF20 33_2_00007FF6A2D8AF20
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D83B24 33_2_00007FF6A2D83B24
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D886E8 33_2_00007FF6A2D886E8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D732C4 33_2_00007FF6A2D732C4
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D78AC0 33_2_00007FF6A2D78AC0
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D902D0 33_2_00007FF6A2D902D0
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D8E678 33_2_00007FF6A2D8E678
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F1B64 36_2_00007FF70E3F1B64
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F15EC 36_2_00007FF70E3F15EC
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F2BE8 36_2_00007FF70E3F2BE8
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F3778 36_2_00007FF70E3F3778
Source: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Code function: 38_2_00007FF6212331D0 38_2_00007FF6212331D0
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F3441C 40_2_00007FF7B1F3441C
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F43034 40_2_00007FF7B1F43034
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F4354C 40_2_00007FF7B1F4354C
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F44374 40_2_00007FF7B1F44374
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F33278 40_2_00007FF7B1F33278
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F32D90 40_2_00007FF7B1F32D90
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F3649C 40_2_00007FF7B1F3649C
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F356A4 40_2_00007FF7B1F356A4
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F439C8 40_2_00007FF7B1F439C8
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F43CDC 40_2_00007FF7B1F43CDC
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F336DC 40_2_00007FF7B1F336DC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: String function: 00007FF7A2AF1400 appears 70 times
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: String function: 00007FF6EDB3410C appears 37 times
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: String function: 00007FF6EDAF4474 appears 37 times
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: String function: 00007FF6EDAF419C appears 54 times
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: String function: 00007FF6EDAFCF60 appears 903 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140046C90 NtClose, 1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 NtQuerySystemInformation, 1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB25580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose, 23_2_00007FF6EDB25580
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB254EC NtQueryInformationToken,NtQueryInformationToken, 23_2_00007FF6EDB254EC
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F2F58 memset,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle, 36_2_00007FF70E3F2F58
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F2E0C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,LocalAlloc,GetLastError,LocalFree,RtlNtStatusToDosError,RtlCompareUnicodeString, 36_2_00007FF70E3F2E0C
PE file contains executable resources (Code or Archives)
Source: RdpSaUacHelper.exe.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bdechangepin.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: psr.exe0.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevicePairingWizard.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EaseOfAccessDialog.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EaseOfAccessDialog.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EaseOfAccessDialog.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: perfmon.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: DUI70.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: DUI70.dll1.7.dr Static PE information: Number of sections : 40 > 10
Source: WINMM.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: WINSTA.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: credui.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: VERSION.dll0.7.dr Static PE information: Number of sections : 40 > 10
Source: TAPI32.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: UxTheme.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: MFC42u.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: PSnPApRPsG.dll Static PE information: Number of sections : 39 > 10
Source: DUI70.dll0.7.dr Static PE information: Number of sections : 40 > 10
Source: VERSION.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: XmlLite.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: DUser.dll.7.dr Static PE information: Number of sections : 40 > 10
Source: PSnPApRPsG.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUser.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: credui.dll.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: PSnPApRPsG.dll ReversingLabs: Detection: 80%
Source: PSnPApRPsG.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\psr.exe C:\Windows\system32\psr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Tp5KLY\psr.exe C:\Users\user\AppData\Local\Tp5KLY\psr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\psr.exe C:\Windows\system32\psr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSnPApRPsG.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\psr.exe C:\Windows\system32\psr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Tp5KLY\psr.exe C:\Users\user\AppData\Local\Tp5KLY\psr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\psr.exe C:\Windows\system32\psr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677471BF4 memset,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,OpenProcess,GetLastError,RegDeleteKeyValueW,CoSetProxyBlanket,CreateFileMappingW,GetLastError,MapViewOfFile,GetLastError,SysAllocStringByteLen,SysFreeString,CreateEventW,DuplicateHandle,UnmapViewOfFile,DuplicateHandle,RegSetKeyValueW,WaitForMultipleObjects,GetLastError,RegDeleteKeyValueW,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,WaitForSingleObject,GetLastError,SysFreeString,GetLastError,GetLastError,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 20_2_00007FF677471BF4
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@57/27@0/0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB28F0C SysAllocString,SetDllDirectoryW,GetLastError,SetDllDirectoryW,GetLastError,CoCreateInstance,SysFreeString,SysFreeString, 23_2_00007FF6EDB28F0C
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF3364 InitializeCriticalSection,GetCommandLineW,CommandLineToArgvW,GetLastError,iswalpha,towupper,EnterCriticalSection,FormatMessageW,GetModuleHandleW,#344,LeaveCriticalSection,LeaveCriticalSection,CoInitialize,InitProcessPriv,InitThread,FormatMessageW,GetLastError,CreateMutexW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,LocalFree,LocalFree,UnInitThread,UnInitProcessPriv,CoUninitialize,CloseHandle,DeleteCriticalSection,GetSystemMetrics,GetSystemMetrics,GetModuleHandleW,LoadImageW,?Create@NativeHWNDHost@DirectUI@@SAJPEBGPEAUHWND__@@PEAUHICON__@@HHHHHHIPEAPEAV12@@Z,EnterCriticalSection,LeaveCriticalSection,?EndDefer@Element@DirectUI@@QEAAXK@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z,?ShowWindow@NativeHWNDHost@DirectUI@@QEAAXH@Z,StartMessagePump, 26_2_00007FF7A2AF3364
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774732D4 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 20_2_00007FF6774732D4
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Mutant created: \Sessions\1\BaseNamedObjects\{ddb7b3dd-cda9-ef67-3c9a-2a105a068b1d}
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Mutant created: \Sessions\1\BaseNamedObjects\{aa9aa00c-1782-a05e-a9f4-d03ba02d4f4c}
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB256C4 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree, 23_2_00007FF6EDB256C4
Source: PresentationSettings.exe String found in binary or memory: /stop
Source: PresentationSettings.exe String found in binary or memory: /stop
Source: PSnPApRPsG.dll Static PE information: More than 4320 > 100 exports found
Source: PSnPApRPsG.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: PSnPApRPsG.dll Static file information: File size 1519616 > 1048576
Source: PSnPApRPsG.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: RdpSaUacHelper.pdbGCTL source: RdpSaUacHelper.exe, 00000014.00000000.796651470.00007FF677475000.00000002.00020000.sdmp
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 0000001D.00000002.933995077.00007FF70C042000.00000002.00020000.sdmp
Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000012.00000000.769914241.00007FF708133000.00000002.00020000.sdmp
Source: Binary string: psr.pdbGCTL source: psr.exe, 0000001F.00000000.933928652.00007FF631DDC000.00000002.00020000.sdmp, psr.exe, 00000021.00000002.984523696.00007FF6A2D9C000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 0000001A.00000000.863440344.00007FF7A2AF9000.00000002.00020000.sdmp
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000017.00000002.855099641.00007FF6EDB38000.00000002.00020000.sdmp
Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 0000001A.00000000.863440344.00007FF7A2AF9000.00000002.00020000.sdmp
Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000028.00000002.1084790071.00007FF7B1F46000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000024.00000002.1020091961.00007FF70E3F6000.00000002.00020000.sdmp
Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000024.00000002.1020091961.00007FF70E3F6000.00000002.00020000.sdmp
Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000026.00000002.1057768214.00007FF621237000.00000002.00020000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: RdpSaUacHelper.exe, 00000014.00000000.796651470.00007FF677475000.00000002.00020000.sdmp
Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000012.00000000.769914241.00007FF708133000.00000002.00020000.sdmp
Source: Binary string: psr.pdb source: psr.exe, 0000001F.00000000.933928652.00007FF631DDC000.00000002.00020000.sdmp, psr.exe, 00000021.00000002.984523696.00007FF6A2D9C000.00000002.00020000.sdmp
Source: Binary string: msdt.pdb source: msdt.exe, 00000017.00000002.855099641.00007FF6EDB38000.00000002.00020000.sdmp
Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000028.00000002.1084790071.00007FF7B1F46000.00000002.00020000.sdmp
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 0000001D.00000002.933995077.00007FF70C042000.00000002.00020000.sdmp
Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000026.00000002.1057768214.00007FF621237000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140056A4D push rdi; ret 1_2_0000000140056A4E
PE file contains sections with non-standard names
Source: PSnPApRPsG.dll Static PE information: section name: .qkm
Source: PSnPApRPsG.dll Static PE information: section name: .cvjb
Source: PSnPApRPsG.dll Static PE information: section name: .tlmkv
Source: PSnPApRPsG.dll Static PE information: section name: .wucsxe
Source: PSnPApRPsG.dll Static PE information: section name: .wnx
Source: PSnPApRPsG.dll Static PE information: section name: .weqy
Source: PSnPApRPsG.dll Static PE information: section name: .yby
Source: PSnPApRPsG.dll Static PE information: section name: .ormx
Source: PSnPApRPsG.dll Static PE information: section name: .dhclu
Source: PSnPApRPsG.dll Static PE information: section name: .xmiul
Source: PSnPApRPsG.dll Static PE information: section name: .tlwcxe
Source: PSnPApRPsG.dll Static PE information: section name: .get
Source: PSnPApRPsG.dll Static PE information: section name: .hzrd
Source: PSnPApRPsG.dll Static PE information: section name: .qzu
Source: PSnPApRPsG.dll Static PE information: section name: .nhglos
Source: PSnPApRPsG.dll Static PE information: section name: .itzo
Source: PSnPApRPsG.dll Static PE information: section name: .nmsaom
Source: PSnPApRPsG.dll Static PE information: section name: .rvhi
Source: PSnPApRPsG.dll Static PE information: section name: .ucrzce
Source: PSnPApRPsG.dll Static PE information: section name: .ijc
Source: PSnPApRPsG.dll Static PE information: section name: .ohvs
Source: PSnPApRPsG.dll Static PE information: section name: .rlvrc
Source: PSnPApRPsG.dll Static PE information: section name: .yjv
Source: PSnPApRPsG.dll Static PE information: section name: .clbcyy
Source: PSnPApRPsG.dll Static PE information: section name: .xcyn
Source: PSnPApRPsG.dll Static PE information: section name: .boqx
Source: PSnPApRPsG.dll Static PE information: section name: .rnlia
Source: PSnPApRPsG.dll Static PE information: section name: .ctip
Source: PSnPApRPsG.dll Static PE information: section name: .fkv
Source: PSnPApRPsG.dll Static PE information: section name: .pczrv
Source: PSnPApRPsG.dll Static PE information: section name: .ibglr
Source: PSnPApRPsG.dll Static PE information: section name: .uirkq
Source: PSnPApRPsG.dll Static PE information: section name: .nzhxgg
Source: ProximityUxHost.exe.7.dr Static PE information: section name: .imrsiv
Source: psr.exe.7.dr Static PE information: section name: .didat
Source: psr.exe0.7.dr Static PE information: section name: .didat
Source: wlrmdr.exe.7.dr Static PE information: section name: .imrsiv
Source: ie4uinit.exe.7.dr Static PE information: section name: .didat
Source: TAPI32.dll.7.dr Static PE information: section name: .qkm
Source: TAPI32.dll.7.dr Static PE information: section name: .cvjb
Source: TAPI32.dll.7.dr Static PE information: section name: .tlmkv
Source: TAPI32.dll.7.dr Static PE information: section name: .wucsxe
Source: TAPI32.dll.7.dr Static PE information: section name: .wnx
Source: TAPI32.dll.7.dr Static PE information: section name: .weqy
Source: TAPI32.dll.7.dr Static PE information: section name: .yby
Source: TAPI32.dll.7.dr Static PE information: section name: .ormx
Source: TAPI32.dll.7.dr Static PE information: section name: .dhclu
Source: TAPI32.dll.7.dr Static PE information: section name: .xmiul
Source: TAPI32.dll.7.dr Static PE information: section name: .tlwcxe
Source: TAPI32.dll.7.dr Static PE information: section name: .get
Source: TAPI32.dll.7.dr Static PE information: section name: .hzrd
Source: TAPI32.dll.7.dr Static PE information: section name: .qzu
Source: TAPI32.dll.7.dr Static PE information: section name: .nhglos
Source: TAPI32.dll.7.dr Static PE information: section name: .itzo
Source: TAPI32.dll.7.dr Static PE information: section name: .nmsaom
Source: TAPI32.dll.7.dr Static PE information: section name: .rvhi
Source: TAPI32.dll.7.dr Static PE information: section name: .ucrzce
Source: TAPI32.dll.7.dr Static PE information: section name: .ijc
Source: TAPI32.dll.7.dr Static PE information: section name: .ohvs
Source: TAPI32.dll.7.dr Static PE information: section name: .rlvrc
Source: TAPI32.dll.7.dr Static PE information: section name: .yjv
Source: TAPI32.dll.7.dr Static PE information: section name: .clbcyy
Source: TAPI32.dll.7.dr Static PE information: section name: .xcyn
Source: TAPI32.dll.7.dr Static PE information: section name: .boqx
Source: TAPI32.dll.7.dr Static PE information: section name: .rnlia
Source: TAPI32.dll.7.dr Static PE information: section name: .ctip
Source: TAPI32.dll.7.dr Static PE information: section name: .fkv
Source: TAPI32.dll.7.dr Static PE information: section name: .pczrv
Source: TAPI32.dll.7.dr Static PE information: section name: .ibglr
Source: TAPI32.dll.7.dr Static PE information: section name: .uirkq
Source: TAPI32.dll.7.dr Static PE information: section name: .nzhxgg
Source: TAPI32.dll.7.dr Static PE information: section name: .ehmk
Source: WINSTA.dll.7.dr Static PE information: section name: .qkm
Source: WINSTA.dll.7.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.7.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.7.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.7.dr Static PE information: section name: .wnx
Source: WINSTA.dll.7.dr Static PE information: section name: .weqy
Source: WINSTA.dll.7.dr Static PE information: section name: .yby
Source: WINSTA.dll.7.dr Static PE information: section name: .ormx
Source: WINSTA.dll.7.dr Static PE information: section name: .dhclu
Source: WINSTA.dll.7.dr Static PE information: section name: .xmiul
Source: WINSTA.dll.7.dr Static PE information: section name: .tlwcxe
Source: WINSTA.dll.7.dr Static PE information: section name: .get
Source: WINSTA.dll.7.dr Static PE information: section name: .hzrd
Source: WINSTA.dll.7.dr Static PE information: section name: .qzu
Source: WINSTA.dll.7.dr Static PE information: section name: .nhglos
Source: WINSTA.dll.7.dr Static PE information: section name: .itzo
Source: WINSTA.dll.7.dr Static PE information: section name: .nmsaom
Source: WINSTA.dll.7.dr Static PE information: section name: .rvhi
Source: WINSTA.dll.7.dr Static PE information: section name: .ucrzce
Source: WINSTA.dll.7.dr Static PE information: section name: .ijc
Source: WINSTA.dll.7.dr Static PE information: section name: .ohvs
Source: WINSTA.dll.7.dr Static PE information: section name: .rlvrc
Source: WINSTA.dll.7.dr Static PE information: section name: .yjv
Source: WINSTA.dll.7.dr Static PE information: section name: .clbcyy
Source: WINSTA.dll.7.dr Static PE information: section name: .xcyn
Source: WINSTA.dll.7.dr Static PE information: section name: .boqx
Source: WINSTA.dll.7.dr Static PE information: section name: .rnlia
Source: WINSTA.dll.7.dr Static PE information: section name: .ctip
Source: WINSTA.dll.7.dr Static PE information: section name: .fkv
Source: WINSTA.dll.7.dr Static PE information: section name: .pczrv
Source: WINSTA.dll.7.dr Static PE information: section name: .ibglr
Source: WINSTA.dll.7.dr Static PE information: section name: .uirkq
Source: WINSTA.dll.7.dr Static PE information: section name: .nzhxgg
Source: WINSTA.dll.7.dr Static PE information: section name: .elcx
Source: UxTheme.dll.7.dr Static PE information: section name: .qkm
Source: UxTheme.dll.7.dr Static PE information: section name: .cvjb
Source: UxTheme.dll.7.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll.7.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll.7.dr Static PE information: section name: .wnx
Source: UxTheme.dll.7.dr Static PE information: section name: .weqy
Source: UxTheme.dll.7.dr Static PE information: section name: .yby
Source: UxTheme.dll.7.dr Static PE information: section name: .ormx
Source: UxTheme.dll.7.dr Static PE information: section name: .dhclu
Source: UxTheme.dll.7.dr Static PE information: section name: .xmiul
Source: UxTheme.dll.7.dr Static PE information: section name: .tlwcxe
Source: UxTheme.dll.7.dr Static PE information: section name: .get
Source: UxTheme.dll.7.dr Static PE information: section name: .hzrd
Source: UxTheme.dll.7.dr Static PE information: section name: .qzu
Source: UxTheme.dll.7.dr Static PE information: section name: .nhglos
Source: UxTheme.dll.7.dr Static PE information: section name: .itzo
Source: UxTheme.dll.7.dr Static PE information: section name: .nmsaom
Source: UxTheme.dll.7.dr Static PE information: section name: .rvhi
Source: UxTheme.dll.7.dr Static PE information: section name: .ucrzce
Source: UxTheme.dll.7.dr Static PE information: section name: .ijc
Source: UxTheme.dll.7.dr Static PE information: section name: .ohvs
Source: UxTheme.dll.7.dr Static PE information: section name: .rlvrc
Source: UxTheme.dll.7.dr Static PE information: section name: .yjv
Source: UxTheme.dll.7.dr Static PE information: section name: .clbcyy
Source: UxTheme.dll.7.dr Static PE information: section name: .xcyn
Source: UxTheme.dll.7.dr Static PE information: section name: .boqx
Source: UxTheme.dll.7.dr Static PE information: section name: .rnlia
Source: UxTheme.dll.7.dr Static PE information: section name: .ctip
Source: UxTheme.dll.7.dr Static PE information: section name: .fkv
Source: UxTheme.dll.7.dr Static PE information: section name: .pczrv
Source: UxTheme.dll.7.dr Static PE information: section name: .ibglr
Source: UxTheme.dll.7.dr Static PE information: section name: .uirkq
Source: UxTheme.dll.7.dr Static PE information: section name: .nzhxgg
Source: UxTheme.dll.7.dr Static PE information: section name: .rjcvy
Source: DUI70.dll.7.dr Static PE information: section name: .qkm
Source: DUI70.dll.7.dr Static PE information: section name: .cvjb
Source: DUI70.dll.7.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.7.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.7.dr Static PE information: section name: .wnx
Source: DUI70.dll.7.dr Static PE information: section name: .weqy
Source: DUI70.dll.7.dr Static PE information: section name: .yby
Source: DUI70.dll.7.dr Static PE information: section name: .ormx
Source: DUI70.dll.7.dr Static PE information: section name: .dhclu
Source: DUI70.dll.7.dr Static PE information: section name: .xmiul
Source: DUI70.dll.7.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll.7.dr Static PE information: section name: .get
Source: DUI70.dll.7.dr Static PE information: section name: .hzrd
Source: DUI70.dll.7.dr Static PE information: section name: .qzu
Source: DUI70.dll.7.dr Static PE information: section name: .nhglos
Source: DUI70.dll.7.dr Static PE information: section name: .itzo
Source: DUI70.dll.7.dr Static PE information: section name: .nmsaom
Source: DUI70.dll.7.dr Static PE information: section name: .rvhi
Source: DUI70.dll.7.dr Static PE information: section name: .ucrzce
Source: DUI70.dll.7.dr Static PE information: section name: .ijc
Source: DUI70.dll.7.dr Static PE information: section name: .ohvs
Source: DUI70.dll.7.dr Static PE information: section name: .rlvrc
Source: DUI70.dll.7.dr Static PE information: section name: .yjv
Source: DUI70.dll.7.dr Static PE information: section name: .clbcyy
Source: DUI70.dll.7.dr Static PE information: section name: .xcyn
Source: DUI70.dll.7.dr Static PE information: section name: .boqx
Source: DUI70.dll.7.dr Static PE information: section name: .rnlia
Source: DUI70.dll.7.dr Static PE information: section name: .ctip
Source: DUI70.dll.7.dr Static PE information: section name: .fkv
Source: DUI70.dll.7.dr Static PE information: section name: .pczrv
Source: DUI70.dll.7.dr Static PE information: section name: .ibglr
Source: DUI70.dll.7.dr Static PE information: section name: .uirkq
Source: DUI70.dll.7.dr Static PE information: section name: .nzhxgg
Source: DUI70.dll.7.dr Static PE information: section name: .eerfji
Source: DUI70.dll0.7.dr Static PE information: section name: .qkm
Source: DUI70.dll0.7.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.7.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.7.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.7.dr Static PE information: section name: .wnx
Source: DUI70.dll0.7.dr Static PE information: section name: .weqy
Source: DUI70.dll0.7.dr Static PE information: section name: .yby
Source: DUI70.dll0.7.dr Static PE information: section name: .ormx
Source: DUI70.dll0.7.dr Static PE information: section name: .dhclu
Source: DUI70.dll0.7.dr Static PE information: section name: .xmiul
Source: DUI70.dll0.7.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll0.7.dr Static PE information: section name: .get
Source: DUI70.dll0.7.dr Static PE information: section name: .hzrd
Source: DUI70.dll0.7.dr Static PE information: section name: .qzu
Source: DUI70.dll0.7.dr Static PE information: section name: .nhglos
Source: DUI70.dll0.7.dr Static PE information: section name: .itzo
Source: DUI70.dll0.7.dr Static PE information: section name: .nmsaom
Source: DUI70.dll0.7.dr Static PE information: section name: .rvhi
Source: DUI70.dll0.7.dr Static PE information: section name: .ucrzce
Source: DUI70.dll0.7.dr Static PE information: section name: .ijc
Source: DUI70.dll0.7.dr Static PE information: section name: .ohvs
Source: DUI70.dll0.7.dr Static PE information: section name: .rlvrc
Source: DUI70.dll0.7.dr Static PE information: section name: .yjv
Source: DUI70.dll0.7.dr Static PE information: section name: .clbcyy
Source: DUI70.dll0.7.dr Static PE information: section name: .xcyn
Source: DUI70.dll0.7.dr Static PE information: section name: .boqx
Source: DUI70.dll0.7.dr Static PE information: section name: .rnlia
Source: DUI70.dll0.7.dr Static PE information: section name: .ctip
Source: DUI70.dll0.7.dr Static PE information: section name: .fkv
Source: DUI70.dll0.7.dr Static PE information: section name: .pczrv
Source: DUI70.dll0.7.dr Static PE information: section name: .ibglr
Source: DUI70.dll0.7.dr Static PE information: section name: .uirkq
Source: DUI70.dll0.7.dr Static PE information: section name: .nzhxgg
Source: DUI70.dll0.7.dr Static PE information: section name: .jpg
Source: XmlLite.dll.7.dr Static PE information: section name: .qkm
Source: XmlLite.dll.7.dr Static PE information: section name: .cvjb
Source: XmlLite.dll.7.dr Static PE information: section name: .tlmkv
Source: XmlLite.dll.7.dr Static PE information: section name: .wucsxe
Source: XmlLite.dll.7.dr Static PE information: section name: .wnx
Source: XmlLite.dll.7.dr Static PE information: section name: .weqy
Source: XmlLite.dll.7.dr Static PE information: section name: .yby
Source: XmlLite.dll.7.dr Static PE information: section name: .ormx
Source: XmlLite.dll.7.dr Static PE information: section name: .dhclu
Source: XmlLite.dll.7.dr Static PE information: section name: .xmiul
Source: XmlLite.dll.7.dr Static PE information: section name: .tlwcxe
Source: XmlLite.dll.7.dr Static PE information: section name: .get
Source: XmlLite.dll.7.dr Static PE information: section name: .hzrd
Source: XmlLite.dll.7.dr Static PE information: section name: .qzu
Source: XmlLite.dll.7.dr Static PE information: section name: .nhglos
Source: XmlLite.dll.7.dr Static PE information: section name: .itzo
Source: XmlLite.dll.7.dr Static PE information: section name: .nmsaom
Source: XmlLite.dll.7.dr Static PE information: section name: .rvhi
Source: XmlLite.dll.7.dr Static PE information: section name: .ucrzce
Source: XmlLite.dll.7.dr Static PE information: section name: .ijc
Source: XmlLite.dll.7.dr Static PE information: section name: .ohvs
Source: XmlLite.dll.7.dr Static PE information: section name: .rlvrc
Source: XmlLite.dll.7.dr Static PE information: section name: .yjv
Source: XmlLite.dll.7.dr Static PE information: section name: .clbcyy
Source: XmlLite.dll.7.dr Static PE information: section name: .xcyn
Source: XmlLite.dll.7.dr Static PE information: section name: .boqx
Source: XmlLite.dll.7.dr Static PE information: section name: .rnlia
Source: XmlLite.dll.7.dr Static PE information: section name: .ctip
Source: XmlLite.dll.7.dr Static PE information: section name: .fkv
Source: XmlLite.dll.7.dr Static PE information: section name: .pczrv
Source: XmlLite.dll.7.dr Static PE information: section name: .ibglr
Source: XmlLite.dll.7.dr Static PE information: section name: .uirkq
Source: XmlLite.dll.7.dr Static PE information: section name: .nzhxgg
Source: XmlLite.dll.7.dr Static PE information: section name: .zuvehe
Source: VERSION.dll.7.dr Static PE information: section name: .qkm
Source: VERSION.dll.7.dr Static PE information: section name: .cvjb
Source: VERSION.dll.7.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.7.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.7.dr Static PE information: section name: .wnx
Source: VERSION.dll.7.dr Static PE information: section name: .weqy
Source: VERSION.dll.7.dr Static PE information: section name: .yby
Source: VERSION.dll.7.dr Static PE information: section name: .ormx
Source: VERSION.dll.7.dr Static PE information: section name: .dhclu
Source: VERSION.dll.7.dr Static PE information: section name: .xmiul
Source: VERSION.dll.7.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll.7.dr Static PE information: section name: .get
Source: VERSION.dll.7.dr Static PE information: section name: .hzrd
Source: VERSION.dll.7.dr Static PE information: section name: .qzu
Source: VERSION.dll.7.dr Static PE information: section name: .nhglos
Source: VERSION.dll.7.dr Static PE information: section name: .itzo
Source: VERSION.dll.7.dr Static PE information: section name: .nmsaom
Source: VERSION.dll.7.dr Static PE information: section name: .rvhi
Source: VERSION.dll.7.dr Static PE information: section name: .ucrzce
Source: VERSION.dll.7.dr Static PE information: section name: .ijc
Source: VERSION.dll.7.dr Static PE information: section name: .ohvs
Source: VERSION.dll.7.dr Static PE information: section name: .rlvrc
Source: VERSION.dll.7.dr Static PE information: section name: .yjv
Source: VERSION.dll.7.dr Static PE information: section name: .clbcyy
Source: VERSION.dll.7.dr Static PE information: section name: .xcyn
Source: VERSION.dll.7.dr Static PE information: section name: .boqx
Source: VERSION.dll.7.dr Static PE information: section name: .rnlia
Source: VERSION.dll.7.dr Static PE information: section name: .ctip
Source: VERSION.dll.7.dr Static PE information: section name: .fkv
Source: VERSION.dll.7.dr Static PE information: section name: .pczrv
Source: VERSION.dll.7.dr Static PE information: section name: .ibglr
Source: VERSION.dll.7.dr Static PE information: section name: .uirkq
Source: VERSION.dll.7.dr Static PE information: section name: .nzhxgg
Source: VERSION.dll.7.dr Static PE information: section name: .aehm
Source: DUI70.dll1.7.dr Static PE information: section name: .qkm
Source: DUI70.dll1.7.dr Static PE information: section name: .cvjb
Source: DUI70.dll1.7.dr Static PE information: section name: .tlmkv
Source: DUI70.dll1.7.dr Static PE information: section name: .wucsxe
Source: DUI70.dll1.7.dr Static PE information: section name: .wnx
Source: DUI70.dll1.7.dr Static PE information: section name: .weqy
Source: DUI70.dll1.7.dr Static PE information: section name: .yby
Source: DUI70.dll1.7.dr Static PE information: section name: .ormx
Source: DUI70.dll1.7.dr Static PE information: section name: .dhclu
Source: DUI70.dll1.7.dr Static PE information: section name: .xmiul
Source: DUI70.dll1.7.dr Static PE information: section name: .tlwcxe
Source: DUI70.dll1.7.dr Static PE information: section name: .get
Source: DUI70.dll1.7.dr Static PE information: section name: .hzrd
Source: DUI70.dll1.7.dr Static PE information: section name: .qzu
Source: DUI70.dll1.7.dr Static PE information: section name: .nhglos
Source: DUI70.dll1.7.dr Static PE information: section name: .itzo
Source: DUI70.dll1.7.dr Static PE information: section name: .nmsaom
Source: DUI70.dll1.7.dr Static PE information: section name: .rvhi
Source: DUI70.dll1.7.dr Static PE information: section name: .ucrzce
Source: DUI70.dll1.7.dr Static PE information: section name: .ijc
Source: DUI70.dll1.7.dr Static PE information: section name: .ohvs
Source: DUI70.dll1.7.dr Static PE information: section name: .rlvrc
Source: DUI70.dll1.7.dr Static PE information: section name: .yjv
Source: DUI70.dll1.7.dr Static PE information: section name: .clbcyy
Source: DUI70.dll1.7.dr Static PE information: section name: .xcyn
Source: DUI70.dll1.7.dr Static PE information: section name: .boqx
Source: DUI70.dll1.7.dr Static PE information: section name: .rnlia
Source: DUI70.dll1.7.dr Static PE information: section name: .ctip
Source: DUI70.dll1.7.dr Static PE information: section name: .fkv
Source: DUI70.dll1.7.dr Static PE information: section name: .pczrv
Source: DUI70.dll1.7.dr Static PE information: section name: .ibglr
Source: DUI70.dll1.7.dr Static PE information: section name: .uirkq
Source: DUI70.dll1.7.dr Static PE information: section name: .nzhxgg
Source: DUI70.dll1.7.dr Static PE information: section name: .xejymf
Source: MFC42u.dll.7.dr Static PE information: section name: .qkm
Source: MFC42u.dll.7.dr Static PE information: section name: .cvjb
Source: MFC42u.dll.7.dr Static PE information: section name: .tlmkv
Source: MFC42u.dll.7.dr Static PE information: section name: .wucsxe
Source: MFC42u.dll.7.dr Static PE information: section name: .wnx
Source: MFC42u.dll.7.dr Static PE information: section name: .weqy
Source: MFC42u.dll.7.dr Static PE information: section name: .yby
Source: MFC42u.dll.7.dr Static PE information: section name: .ormx
Source: MFC42u.dll.7.dr Static PE information: section name: .dhclu
Source: MFC42u.dll.7.dr Static PE information: section name: .xmiul
Source: MFC42u.dll.7.dr Static PE information: section name: .tlwcxe
Source: MFC42u.dll.7.dr Static PE information: section name: .get
Source: MFC42u.dll.7.dr Static PE information: section name: .hzrd
Source: MFC42u.dll.7.dr Static PE information: section name: .qzu
Source: MFC42u.dll.7.dr Static PE information: section name: .nhglos
Source: MFC42u.dll.7.dr Static PE information: section name: .itzo
Source: MFC42u.dll.7.dr Static PE information: section name: .nmsaom
Source: MFC42u.dll.7.dr Static PE information: section name: .rvhi
Source: MFC42u.dll.7.dr Static PE information: section name: .ucrzce
Source: MFC42u.dll.7.dr Static PE information: section name: .ijc
Source: MFC42u.dll.7.dr Static PE information: section name: .ohvs
Source: MFC42u.dll.7.dr Static PE information: section name: .rlvrc
Source: MFC42u.dll.7.dr Static PE information: section name: .yjv
Source: MFC42u.dll.7.dr Static PE information: section name: .clbcyy
Source: MFC42u.dll.7.dr Static PE information: section name: .xcyn
Source: MFC42u.dll.7.dr Static PE information: section name: .boqx
Source: MFC42u.dll.7.dr Static PE information: section name: .rnlia
Source: MFC42u.dll.7.dr Static PE information: section name: .ctip
Source: MFC42u.dll.7.dr Static PE information: section name: .fkv
Source: MFC42u.dll.7.dr Static PE information: section name: .pczrv
Source: MFC42u.dll.7.dr Static PE information: section name: .ibglr
Source: MFC42u.dll.7.dr Static PE information: section name: .uirkq
Source: MFC42u.dll.7.dr Static PE information: section name: .nzhxgg
Source: MFC42u.dll.7.dr Static PE information: section name: .hfqwpo
Source: WINMM.dll.7.dr Static PE information: section name: .qkm
Source: WINMM.dll.7.dr Static PE information: section name: .cvjb
Source: WINMM.dll.7.dr Static PE information: section name: .tlmkv
Source: WINMM.dll.7.dr Static PE information: section name: .wucsxe
Source: WINMM.dll.7.dr Static PE information: section name: .wnx
Source: WINMM.dll.7.dr Static PE information: section name: .weqy
Source: WINMM.dll.7.dr Static PE information: section name: .yby
Source: WINMM.dll.7.dr Static PE information: section name: .ormx
Source: WINMM.dll.7.dr Static PE information: section name: .dhclu
Source: WINMM.dll.7.dr Static PE information: section name: .xmiul
Source: WINMM.dll.7.dr Static PE information: section name: .tlwcxe
Source: WINMM.dll.7.dr Static PE information: section name: .get
Source: WINMM.dll.7.dr Static PE information: section name: .hzrd
Source: WINMM.dll.7.dr Static PE information: section name: .qzu
Source: WINMM.dll.7.dr Static PE information: section name: .nhglos
Source: WINMM.dll.7.dr Static PE information: section name: .itzo
Source: WINMM.dll.7.dr Static PE information: section name: .nmsaom
Source: WINMM.dll.7.dr Static PE information: section name: .rvhi
Source: WINMM.dll.7.dr Static PE information: section name: .ucrzce
Source: WINMM.dll.7.dr Static PE information: section name: .ijc
Source: WINMM.dll.7.dr Static PE information: section name: .ohvs
Source: WINMM.dll.7.dr Static PE information: section name: .rlvrc
Source: WINMM.dll.7.dr Static PE information: section name: .yjv
Source: WINMM.dll.7.dr Static PE information: section name: .clbcyy
Source: WINMM.dll.7.dr Static PE information: section name: .xcyn
Source: WINMM.dll.7.dr Static PE information: section name: .boqx
Source: WINMM.dll.7.dr Static PE information: section name: .rnlia
Source: WINMM.dll.7.dr Static PE information: section name: .ctip
Source: WINMM.dll.7.dr Static PE information: section name: .fkv
Source: WINMM.dll.7.dr Static PE information: section name: .pczrv
Source: WINMM.dll.7.dr Static PE information: section name: .ibglr
Source: WINMM.dll.7.dr Static PE information: section name: .uirkq
Source: WINMM.dll.7.dr Static PE information: section name: .nzhxgg
Source: WINMM.dll.7.dr Static PE information: section name: .dva
Source: DUser.dll.7.dr Static PE information: section name: .qkm
Source: DUser.dll.7.dr Static PE information: section name: .cvjb
Source: DUser.dll.7.dr Static PE information: section name: .tlmkv
Source: DUser.dll.7.dr Static PE information: section name: .wucsxe
Source: DUser.dll.7.dr Static PE information: section name: .wnx
Source: DUser.dll.7.dr Static PE information: section name: .weqy
Source: DUser.dll.7.dr Static PE information: section name: .yby
Source: DUser.dll.7.dr Static PE information: section name: .ormx
Source: DUser.dll.7.dr Static PE information: section name: .dhclu
Source: DUser.dll.7.dr Static PE information: section name: .xmiul
Source: DUser.dll.7.dr Static PE information: section name: .tlwcxe
Source: DUser.dll.7.dr Static PE information: section name: .get
Source: DUser.dll.7.dr Static PE information: section name: .hzrd
Source: DUser.dll.7.dr Static PE information: section name: .qzu
Source: DUser.dll.7.dr Static PE information: section name: .nhglos
Source: DUser.dll.7.dr Static PE information: section name: .itzo
Source: DUser.dll.7.dr Static PE information: section name: .nmsaom
Source: DUser.dll.7.dr Static PE information: section name: .rvhi
Source: DUser.dll.7.dr Static PE information: section name: .ucrzce
Source: DUser.dll.7.dr Static PE information: section name: .ijc
Source: DUser.dll.7.dr Static PE information: section name: .ohvs
Source: DUser.dll.7.dr Static PE information: section name: .rlvrc
Source: DUser.dll.7.dr Static PE information: section name: .yjv
Source: DUser.dll.7.dr Static PE information: section name: .clbcyy
Source: DUser.dll.7.dr Static PE information: section name: .xcyn
Source: DUser.dll.7.dr Static PE information: section name: .boqx
Source: DUser.dll.7.dr Static PE information: section name: .rnlia
Source: DUser.dll.7.dr Static PE information: section name: .ctip
Source: DUser.dll.7.dr Static PE information: section name: .fkv
Source: DUser.dll.7.dr Static PE information: section name: .pczrv
Source: DUser.dll.7.dr Static PE information: section name: .ibglr
Source: DUser.dll.7.dr Static PE information: section name: .uirkq
Source: DUser.dll.7.dr Static PE information: section name: .nzhxgg
Source: DUser.dll.7.dr Static PE information: section name: .scy
Source: credui.dll.7.dr Static PE information: section name: .qkm
Source: credui.dll.7.dr Static PE information: section name: .cvjb
Source: credui.dll.7.dr Static PE information: section name: .tlmkv
Source: credui.dll.7.dr Static PE information: section name: .wucsxe
Source: credui.dll.7.dr Static PE information: section name: .wnx
Source: credui.dll.7.dr Static PE information: section name: .weqy
Source: credui.dll.7.dr Static PE information: section name: .yby
Source: credui.dll.7.dr Static PE information: section name: .ormx
Source: credui.dll.7.dr Static PE information: section name: .dhclu
Source: credui.dll.7.dr Static PE information: section name: .xmiul
Source: credui.dll.7.dr Static PE information: section name: .tlwcxe
Source: credui.dll.7.dr Static PE information: section name: .get
Source: credui.dll.7.dr Static PE information: section name: .hzrd
Source: credui.dll.7.dr Static PE information: section name: .qzu
Source: credui.dll.7.dr Static PE information: section name: .nhglos
Source: credui.dll.7.dr Static PE information: section name: .itzo
Source: credui.dll.7.dr Static PE information: section name: .nmsaom
Source: credui.dll.7.dr Static PE information: section name: .rvhi
Source: credui.dll.7.dr Static PE information: section name: .ucrzce
Source: credui.dll.7.dr Static PE information: section name: .ijc
Source: credui.dll.7.dr Static PE information: section name: .ohvs
Source: credui.dll.7.dr Static PE information: section name: .rlvrc
Source: credui.dll.7.dr Static PE information: section name: .yjv
Source: credui.dll.7.dr Static PE information: section name: .clbcyy
Source: credui.dll.7.dr Static PE information: section name: .xcyn
Source: credui.dll.7.dr Static PE information: section name: .boqx
Source: credui.dll.7.dr Static PE information: section name: .rnlia
Source: credui.dll.7.dr Static PE information: section name: .ctip
Source: credui.dll.7.dr Static PE information: section name: .fkv
Source: credui.dll.7.dr Static PE information: section name: .pczrv
Source: credui.dll.7.dr Static PE information: section name: .ibglr
Source: credui.dll.7.dr Static PE information: section name: .uirkq
Source: credui.dll.7.dr Static PE information: section name: .nzhxgg
Source: credui.dll.7.dr Static PE information: section name: .ihemj
Source: VERSION.dll0.7.dr Static PE information: section name: .qkm
Source: VERSION.dll0.7.dr Static PE information: section name: .cvjb
Source: VERSION.dll0.7.dr Static PE information: section name: .tlmkv
Source: VERSION.dll0.7.dr Static PE information: section name: .wucsxe
Source: VERSION.dll0.7.dr Static PE information: section name: .wnx
Source: VERSION.dll0.7.dr Static PE information: section name: .weqy
Source: VERSION.dll0.7.dr Static PE information: section name: .yby
Source: VERSION.dll0.7.dr Static PE information: section name: .ormx
Source: VERSION.dll0.7.dr Static PE information: section name: .dhclu
Source: VERSION.dll0.7.dr Static PE information: section name: .xmiul
Source: VERSION.dll0.7.dr Static PE information: section name: .tlwcxe
Source: VERSION.dll0.7.dr Static PE information: section name: .get
Source: VERSION.dll0.7.dr Static PE information: section name: .hzrd
Source: VERSION.dll0.7.dr Static PE information: section name: .qzu
Source: VERSION.dll0.7.dr Static PE information: section name: .nhglos
Source: VERSION.dll0.7.dr Static PE information: section name: .itzo
Source: VERSION.dll0.7.dr Static PE information: section name: .nmsaom
Source: VERSION.dll0.7.dr Static PE information: section name: .rvhi
Source: VERSION.dll0.7.dr Static PE information: section name: .ucrzce
Source: VERSION.dll0.7.dr Static PE information: section name: .ijc
Source: VERSION.dll0.7.dr Static PE information: section name: .ohvs
Source: VERSION.dll0.7.dr Static PE information: section name: .rlvrc
Source: VERSION.dll0.7.dr Static PE information: section name: .yjv
Source: VERSION.dll0.7.dr Static PE information: section name: .clbcyy
Source: VERSION.dll0.7.dr Static PE information: section name: .xcyn
Source: VERSION.dll0.7.dr Static PE information: section name: .boqx
Source: VERSION.dll0.7.dr Static PE information: section name: .rnlia
Source: VERSION.dll0.7.dr Static PE information: section name: .ctip
Source: VERSION.dll0.7.dr Static PE information: section name: .fkv
Source: VERSION.dll0.7.dr Static PE information: section name: .pczrv
Source: VERSION.dll0.7.dr Static PE information: section name: .ibglr
Source: VERSION.dll0.7.dr Static PE information: section name: .uirkq
Source: VERSION.dll0.7.dr Static PE information: section name: .nzhxgg
Source: VERSION.dll0.7.dr Static PE information: section name: .dbai
PE file contains an invalid checksum
Source: DUI70.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1c4f03
Source: DUI70.dll1.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1c4995
Source: WINMM.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x178e04
Source: WINSTA.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x181df2
Source: credui.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1794c1
Source: VERSION.dll0.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x177cd8
Source: TAPI32.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x183dcc
Source: UxTheme.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x174d23
Source: MFC42u.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17a777
Source: PSnPApRPsG.dll Static PE information: real checksum: 0x7d786c40 should be: 0x176961
Source: DUI70.dll0.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1c7e5d
Source: VERSION.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x1778c6
Source: XmlLite.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x17dc29
Source: DUser.dll.7.dr Static PE information: real checksum: 0x7d786c40 should be: 0x183b87
Binary contains a suspicious time stamp
Source: msdt.exe.7.dr Static PE information: 0xFF860234 [Fri Nov 6 17:41:08 2105 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\nmYaGulOu\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\HtmF\credui.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YaR\MFC42u.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ifnj9zHVv\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\TQbOBk\DUser.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\TQbOBk\EaseOfAccessDialog.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\a5Q9CELTE\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\HtmF\perfmon.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Tp5KLY\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\a5Q9CELTE\ie4uinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\72PXeqK\TAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\RjGeORx\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\hUhx9Ta\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\yC4r\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\br5u0t\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\PVSXo\DUI70.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774732D4 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle, 20_2_00007FF6774732D4
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6672 Thread sleep count: 56 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\a5Q9CELTE\ie4uinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\HtmF\credui.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\TQbOBk\EaseOfAccessDialog.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\HtmF\perfmon.exe Jump to dropped file
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB9770 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00007FF631DB9EC7h 31_2_00007FF631DB9770
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DB9770 GetSystemTimeAsFileTime followed by cmp: cmp rdi, 02h and CTI: jne 00007FF631DB9C68h 31_2_00007FF631DB9770
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D79770 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00007FF6A2D79EC7h 33_2_00007FF6A2D79770
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D79770 GetSystemTimeAsFileTime followed by cmp: cmp rdi, 02h and CTI: jne 00007FF6A2D79C68h 33_2_00007FF6A2D79770
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F3649C rdtsc 40_2_00007FF7B1F3649C
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 GetSystemInfo, 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB16720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB16720
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2A65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB2A65C
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB2BD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB2BD48
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 23_2_00007FF6EDB17784
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB12770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB12770
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB16494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB16494
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB17C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 23_2_00007FF6EDB17C3C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC7A2C memset,PathCombineW,FindFirstFileW,GetLastError,PathCombineW,FindClose, 31_2_00007FF631DC7A2C
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD15A8 GlobalAlloc,CharLowerA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,FindNextFileA,FindNextFileA,FindClose,GlobalLock,GlobalUnlock,GlobalLock,GlobalUnlock,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,lstrlenA,lstrlenA,GlobalFree, 31_2_00007FF631DD15A8
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DD1168 memset,lstrlenA,lstrlenA,lstrlenA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,FindNextFileA,lstrcmpA,lstrcmpA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 31_2_00007FF631DD1168
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D87A2C memset,PathCombineW,FindFirstFileW,GetLastError,PathCombineW,FindClose, 33_2_00007FF6A2D87A2C
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D915A8 GlobalAlloc,CharLowerA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,FindNextFileA,FindNextFileA,FindClose,GlobalLock,GlobalUnlock,GlobalLock,GlobalUnlock,lstrlenA,FileTimeToLocalFileTime,FileTimeToDosDateTime,lstrlenA,lstrlenA,lstrlenA,GlobalFree, 33_2_00007FF6A2D915A8
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D91168 memset,lstrlenA,lstrlenA,lstrlenA,FindFirstFileA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,FindNextFileA,lstrcmpA,lstrcmpA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 33_2_00007FF6A2D91168
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F44518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError, 40_2_00007FF7B1F44518
Source: explorer.exe, 00000007.00000000.704198002.000000000A64D000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.704139453.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.719832561.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.704139453.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.687193904.000000000A897000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 00000007.00000000.687343282.000000000A9AD000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA|
Source: explorer.exe, 00000007.00000000.679017493.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000000.723286294.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000007.00000000.686537822.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C018454 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 29_2_00007FF70C018454
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB0C6FC GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,SysFreeString,SysFreeString,FreeLibrary, 23_2_00007FF6EDB0C6FC
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F3649C rdtsc 40_2_00007FF7B1F3649C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose, 1_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Code function: 18_2_00007FF708132330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF708132330
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Code function: 18_2_00007FF708132530 SetUnhandledExceptionFilter, 18_2_00007FF708132530
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677474010 SetUnhandledExceptionFilter, 20_2_00007FF677474010
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677473E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF677473E18
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB35E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00007FF6EDB35E58
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB36140 SetUnhandledExceptionFilter, 23_2_00007FF6EDB36140
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF7480 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF7A2AF7480
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF7680 SetUnhandledExceptionFilter, 26_2_00007FF7A2AF7680
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C0409B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 29_2_00007FF70C0409B4
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C040740 SetUnhandledExceptionFilter, 29_2_00007FF70C040740
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DDA730 SetUnhandledExceptionFilter, 31_2_00007FF631DDA730
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DDA368 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF631DDA368
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D9A368 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF6A2D9A368
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Code function: 33_2_00007FF6A2D9A730 SetUnhandledExceptionFilter, 33_2_00007FF6A2D9A730
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F4014 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF70E3F4014
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F3D90 SetUnhandledExceptionFilter, 36_2_00007FF70E3F3D90
Source: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Code function: 38_2_00007FF621236340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00007FF621236340
Source: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Code function: 38_2_00007FF621236630 SetUnhandledExceptionFilter, 38_2_00007FF621236630
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F45460 SetUnhandledExceptionFilter, 40_2_00007FF7B1F45460
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Code function: 40_2_00007FF7B1F451B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 40_2_00007FF7B1F451B0

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: TAPI32.dll.7.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAFFF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError, 23_2_00007FF6EDAFFF54
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PSnPApRPsG.dll',#1 Jump to behavior
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774727F8 memset,InitializeSecurityDescriptor,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,LocalAlloc,memset,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,LocalAlloc,memset,GetTokenInformation,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,InitializeAcl,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,LocalFree,CloseHandle, 20_2_00007FF6774727F8
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Code function: 18_2_00007FF708131618 HeapSetInformation,GetModuleHandleW,LoadStringW,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetCommandLineW, 18_2_00007FF708131618
Source: explorer.exe, 00000007.00000000.678272412.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000000.730825412.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.730825412.0000000001080000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.730825412.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.730825412.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.723286294.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\72PXeqK\tcmsetup.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\ifnj9zHVv\psr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\YaR\DevicePairingWizard.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\br5u0t\PresentationSettings.exe Queries volume information: unknown VolumeInformation
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDB1A0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree, 23_2_00007FF6EDB1A0D0
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774741B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 20_2_00007FF6774741B0
Source: C:\Users\user\AppData\Local\Tp5KLY\psr.exe Code function: 31_2_00007FF631DC98B0 memset,GetVersionExW,GetProductInfo,SHCreateStreamOnFileEx,CreateXmlWriter, 31_2_00007FF631DC98B0
Source: C:\Users\user\AppData\Local\nmYaGulOu\msdt.exe Code function: 23_2_00007FF6EDAF7970 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree, 23_2_00007FF6EDAF7970

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677473218 RpcBindingFree,NdrClientCall3, 20_2_00007FF677473218
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF677473648 memset,CreateBindCtx,StringFromCLSID,MkParseDisplayName,CoTaskMemFree, 20_2_00007FF677473648
Source: C:\Users\user\AppData\Local\hUhx9Ta\RdpSaUacHelper.exe Code function: 20_2_00007FF6774733E8 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, 20_2_00007FF6774733E8
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree, 26_2_00007FF7A2AF459C
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF47F9 RpcBindingFree, 26_2_00007FF7A2AF47F9
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF4932 RpcBindingFree, 26_2_00007FF7A2AF4932
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF4730 NdrClientCall3,RpcBindingFree, 26_2_00007FF7A2AF4730
Source: C:\Users\user\AppData\Local\RjGeORx\bdechangepin.exe Code function: 26_2_00007FF7A2AF4868 NdrClientCall3,RpcBindingFree, 26_2_00007FF7A2AF4868
Source: C:\Users\user\AppData\Local\yC4r\ProximityUxHost.exe Code function: 29_2_00007FF70C02C8A0 TlsGetValue,TlsSetValue,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z,?AccessibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z,?_ZeroRelease@Value@DirectUI@@AEAAXXZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetClassInfoPtr@ModernProgressBar@DirectUI@@SAPEAUIClassInfo@2@XZ,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,TlsGetValue,TlsSetValue, 29_2_00007FF70C02C8A0
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F3578 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, 36_2_00007FF70E3F3578
Source: C:\Users\user\AppData\Local\PVSXo\wlrmdr.exe Code function: 36_2_00007FF70E3F3020 memset,RpcBindingFree,GetAncestor,EnableWindow,CloseHandle,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,EnableWindow,LocalFree, 36_2_00007FF70E3F3020
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492695 Sample: PSnPApRPsG Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 9 loaddll64.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        process5 19 rundll32.exe 11->19         started        signatures6 50 Changes memory attributes in foreign processes to executable or writable 19->50 52 Uses Atom Bombing / ProGate to inject into other processes 19->52 54 Queues an APC in another process (thread injection) 19->54 22 explorer.exe 2 70 19->22 injected process7 file8 34 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 22->34 dropped 36 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 22->36 dropped 38 C:\Users\user\AppData\Local\...\WINMM.dll, PE32+ 22->38 dropped 40 23 other files (7 malicious) 22->40 dropped 56 Benign windows process drops PE files 22->56 26 tcmsetup.exe 22->26         started        28 msdt.exe 22->28         started        30 RdpSaUacHelper.exe 22->30         started        32 17 other processes 22->32 signatures9 process10
No contacted IP infos