Windows Analysis Report 2JlIMkLNXh

AV Detection:

Multi AV Scanner detection for submitted file

Source: 2JlIMkLNXh.dll	Virustotal: Detection: 69%			Perma Link
Source: 2JlIMkLNXh.dll	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Source: 2JlIMkLNXh.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\YTBx\TAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: 2JlIMkLNXh.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\YTBx\TAPI32.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66038F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,		22_2_00007FF66038F8FC
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66038F52C CryptProtectData,LocalAlloc,LocalFree,		22_2_00007FF66038F52C

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2JlIMkLNXh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: tcmsetup.pdb source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

Networking:

URLs found in memory or binary data

Source: explorer.exe, 0000001C.00000002.783735126.0000000006A87000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.miC
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microso
Source: explorer.exe, 00000006.00000000.305635273.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: explorer.exe, 00000006.00000000.288544187.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000005.00000002.251743405.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.257720074.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.374374689.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.342710737.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.266384036.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.272046081.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.394057525.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870		1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270		1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0		1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340		1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80		1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0		1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0		1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0		1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40		1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0		1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30		1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010		1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010		1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020		1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840		1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850		1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080		1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880		1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0		1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0		1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0		1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100		1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100		1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110		1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910		1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120		1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120		1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940		1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140		1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140		1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950		1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170		1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980		1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0		1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0		1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0		1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0		1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0		1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0		1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00		1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00		1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220		1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40		1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50		1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60		1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0		1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0		1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00		1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300		1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20		1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340		1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340		1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40		1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40		1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60		1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370		1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80		1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390		1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0		1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0		1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0		1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0		1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0		1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0		1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0		1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B		1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424		1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D		1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436		1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D		1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440		1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40		1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446		1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490		1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00		1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520		1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20		1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530		1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530		1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540		1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540		1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50		1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570		1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580		1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0		1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0		1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0		1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0		1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0		1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0		1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0		1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620		1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630		1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650		1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80		1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80		1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0		1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0		1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0		1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0		1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0		1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0		1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0		1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20		1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730		1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780		1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80		1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0		1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0		1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0		1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0		1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603239A0		22_2_00007FF6603239A0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032CE08		22_2_00007FF66032CE08
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603235EC		22_2_00007FF6603235EC
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660328DF0		22_2_00007FF660328DF0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603A1690		22_2_00007FF6603A1690
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031DA8C		22_2_00007FF66031DA8C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032EAB4		22_2_00007FF66032EAB4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660354320		22_2_00007FF660354320
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660314EC4		22_2_00007FF660314EC4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603312E0		22_2_00007FF6603312E0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660316B94		22_2_00007FF660316B94
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660315410		22_2_00007FF660315410
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603277C0		22_2_00007FF6603277C0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66032A858		22_2_00007FF66032A858
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660328060		22_2_00007FF660328060
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603284C0		22_2_00007FF6603284C0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603264DC		22_2_00007FF6603264DC
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B1A38		26_2_00007FF6193B1A38

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,		1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,		1_2_000000014006A4B0

Sample file is different than original file name gathered from version info

Source: 2JlIMkLNXh.dll

Binary or memory string: OriginalFilenamekbdyj% vs 2JlIMkLNXh.dll

PE file contains strange resources

Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msftedit.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: globinputhost.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiribbon.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkexplorer.dll			Jump to behavior

PE file contains more sections than normal

Source: Secur32.dll.6.dr	Static PE information: Number of sections : 52 > 10
Source: TAPI32.dll.6.dr	Static PE information: Number of sections : 52 > 10
Source: 2JlIMkLNXh.dll	Static PE information: Number of sections : 51 > 10

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: 2JlIMkLNXh.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.6.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: 2JlIMkLNXh.dll	Virustotal: Detection: 69%
Source: 2JlIMkLNXh.dll	ReversingLabs: Detection: 77%

PE file has an executable .text section and no other executable section

Source: 2JlIMkLNXh.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe C:\Users\user\AppData\Local\YTBx\tcmsetup.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingCodePage			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReaderInputWithEncodingName			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe C:\Users\user\AppData\Local\YTBx\tcmsetup.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@21/5@0/0

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF660358E00 memset,memset,memset,memset,memset,PathStripPathW,PathFindExtensionW,CharLowerW,PathRemoveFileSpecW,CharLowerW,CharLowerW,CoCreateInstance,LocalFree,

22_2_00007FF660358E00

Reads ini files

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2JlIMkLNXh.dll,CreateXmlReader

Creates mutexes

Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\{080b51e7-5243-64c4-ebc3-67abce22293e}
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4646cca1-0c19-80c6-1a2a-cb48f0801431}

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF660314EC4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,free,free,

22_2_00007FF660314EC4

Launches a second explorer.exe instance

Source: unknown

Process created: C:\Windows\explorer.exe

Uses Rich Edit Controls

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\MsftEdit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a high image base, often used for DLLs

Source: 2JlIMkLNXh.dll

Static PE information: Image base 0x140000000 > 0x60000000

Submission file is bigger than most known malware samples

Source: 2JlIMkLNXh.dll

Static file information: File size 1941504 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2JlIMkLNXh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000016.00000000.351116745.00007FF660434000.00000002.00020000.sdmp, mstsc.exe.6.dr
Source:	Binary string: tcmsetup.pdb source: tcmsetup.exe, 0000001A.00000002.396429256.00007FF6193B3000.00000002.00020000.sdmp, tcmsetup.exe.6.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140056A4D push rdi; ret

1_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 2JlIMkLNXh.dll	Static PE information: section name: .qkm
Source: 2JlIMkLNXh.dll	Static PE information: section name: .cvjb
Source: 2JlIMkLNXh.dll	Static PE information: section name: .tlmkv
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wucsxe
Source: 2JlIMkLNXh.dll	Static PE information: section name: .fltwtj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .sfplio
Source: 2JlIMkLNXh.dll	Static PE information: section name: .rpg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .bewzc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .vksvaw
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wmhg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kswemc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kaxfk
Source: 2JlIMkLNXh.dll	Static PE information: section name: .pjf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .retjqj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .mizn
Source: 2JlIMkLNXh.dll	Static PE information: section name: .rsrub
Source: 2JlIMkLNXh.dll	Static PE information: section name: .susbqq
Source: 2JlIMkLNXh.dll	Static PE information: section name: .jeojcw
Source: 2JlIMkLNXh.dll	Static PE information: section name: .vwl
Source: 2JlIMkLNXh.dll	Static PE information: section name: .mub
Source: 2JlIMkLNXh.dll	Static PE information: section name: .xwxpmb
Source: 2JlIMkLNXh.dll	Static PE information: section name: .aea
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lwpch
Source: 2JlIMkLNXh.dll	Static PE information: section name: .nzgp
Source: 2JlIMkLNXh.dll	Static PE information: section name: .qimx
Source: 2JlIMkLNXh.dll	Static PE information: section name: .jbqbr
Source: 2JlIMkLNXh.dll	Static PE information: section name: .kxxxil
Source: 2JlIMkLNXh.dll	Static PE information: section name: .drpaa
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lepjc
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ywrsat
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ialjct
Source: 2JlIMkLNXh.dll	Static PE information: section name: .ujrqkf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .lwaoje
Source: 2JlIMkLNXh.dll	Static PE information: section name: .pces
Source: 2JlIMkLNXh.dll	Static PE information: section name: .zuizg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .upz
Source: 2JlIMkLNXh.dll	Static PE information: section name: .wxuh
Source: 2JlIMkLNXh.dll	Static PE information: section name: .fsdfq
Source: 2JlIMkLNXh.dll	Static PE information: section name: .xxlo
Source: 2JlIMkLNXh.dll	Static PE information: section name: .hcxtgl
Source: 2JlIMkLNXh.dll	Static PE information: section name: .owbx
Source: 2JlIMkLNXh.dll	Static PE information: section name: .phg
Source: 2JlIMkLNXh.dll	Static PE information: section name: .trmoj
Source: 2JlIMkLNXh.dll	Static PE information: section name: .zaixaf
Source: 2JlIMkLNXh.dll	Static PE information: section name: .myzf
Source: mstsc.exe.6.dr	Static PE information: section name: .didat
Source: Secur32.dll.6.dr	Static PE information: section name: .qkm
Source: Secur32.dll.6.dr	Static PE information: section name: .cvjb
Source: Secur32.dll.6.dr	Static PE information: section name: .tlmkv
Source: Secur32.dll.6.dr	Static PE information: section name: .wucsxe
Source: Secur32.dll.6.dr	Static PE information: section name: .fltwtj
Source: Secur32.dll.6.dr	Static PE information: section name: .sfplio
Source: Secur32.dll.6.dr	Static PE information: section name: .rpg
Source: Secur32.dll.6.dr	Static PE information: section name: .bewzc
Source: Secur32.dll.6.dr	Static PE information: section name: .vksvaw
Source: Secur32.dll.6.dr	Static PE information: section name: .wmhg
Source: Secur32.dll.6.dr	Static PE information: section name: .kswemc
Source: Secur32.dll.6.dr	Static PE information: section name: .kaxfk
Source: Secur32.dll.6.dr	Static PE information: section name: .pjf
Source: Secur32.dll.6.dr	Static PE information: section name: .retjqj
Source: Secur32.dll.6.dr	Static PE information: section name: .mizn
Source: Secur32.dll.6.dr	Static PE information: section name: .rsrub
Source: Secur32.dll.6.dr	Static PE information: section name: .susbqq
Source: Secur32.dll.6.dr	Static PE information: section name: .jeojcw
Source: Secur32.dll.6.dr	Static PE information: section name: .vwl
Source: Secur32.dll.6.dr	Static PE information: section name: .mub
Source: Secur32.dll.6.dr	Static PE information: section name: .xwxpmb
Source: Secur32.dll.6.dr	Static PE information: section name: .aea
Source: Secur32.dll.6.dr	Static PE information: section name: .lwpch
Source: Secur32.dll.6.dr	Static PE information: section name: .nzgp
Source: Secur32.dll.6.dr	Static PE information: section name: .qimx
Source: Secur32.dll.6.dr	Static PE information: section name: .jbqbr
Source: Secur32.dll.6.dr	Static PE information: section name: .kxxxil
Source: Secur32.dll.6.dr	Static PE information: section name: .drpaa
Source: Secur32.dll.6.dr	Static PE information: section name: .lepjc
Source: Secur32.dll.6.dr	Static PE information: section name: .ywrsat
Source: Secur32.dll.6.dr	Static PE information: section name: .ialjct
Source: Secur32.dll.6.dr	Static PE information: section name: .ujrqkf
Source: Secur32.dll.6.dr	Static PE information: section name: .lwaoje
Source: Secur32.dll.6.dr	Static PE information: section name: .pces
Source: Secur32.dll.6.dr	Static PE information: section name: .zuizg
Source: Secur32.dll.6.dr	Static PE information: section name: .upz
Source: Secur32.dll.6.dr	Static PE information: section name: .wxuh
Source: Secur32.dll.6.dr	Static PE information: section name: .fsdfq
Source: Secur32.dll.6.dr	Static PE information: section name: .xxlo
Source: Secur32.dll.6.dr	Static PE information: section name: .hcxtgl
Source: Secur32.dll.6.dr	Static PE information: section name: .owbx
Source: Secur32.dll.6.dr	Static PE information: section name: .phg
Source: Secur32.dll.6.dr	Static PE information: section name: .trmoj
Source: Secur32.dll.6.dr	Static PE information: section name: .zaixaf
Source: Secur32.dll.6.dr	Static PE information: section name: .myzf
Source: Secur32.dll.6.dr	Static PE information: section name: .jdkzt
Source: TAPI32.dll.6.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.6.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.6.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.6.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.6.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.6.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.6.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.6.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.6.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.6.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.6.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.6.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.6.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.6.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.6.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.6.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.6.dr	Static PE information: section name: .susbqq
Source: TAPI32.dll.6.dr	Static PE information: section name: .jeojcw
Source: TAPI32.dll.6.dr	Static PE information: section name: .vwl
Source: TAPI32.dll.6.dr	Static PE information: section name: .mub
Source: TAPI32.dll.6.dr	Static PE information: section name: .xwxpmb
Source: TAPI32.dll.6.dr	Static PE information: section name: .aea
Source: TAPI32.dll.6.dr	Static PE information: section name: .lwpch
Source: TAPI32.dll.6.dr	Static PE information: section name: .nzgp
Source: TAPI32.dll.6.dr	Static PE information: section name: .qimx
Source: TAPI32.dll.6.dr	Static PE information: section name: .jbqbr
Source: TAPI32.dll.6.dr	Static PE information: section name: .kxxxil
Source: TAPI32.dll.6.dr	Static PE information: section name: .drpaa
Source: TAPI32.dll.6.dr	Static PE information: section name: .lepjc
Source: TAPI32.dll.6.dr	Static PE information: section name: .ywrsat
Source: TAPI32.dll.6.dr	Static PE information: section name: .ialjct
Source: TAPI32.dll.6.dr	Static PE information: section name: .ujrqkf
Source: TAPI32.dll.6.dr	Static PE information: section name: .lwaoje
Source: TAPI32.dll.6.dr	Static PE information: section name: .pces
Source: TAPI32.dll.6.dr	Static PE information: section name: .zuizg
Source: TAPI32.dll.6.dr	Static PE information: section name: .upz
Source: TAPI32.dll.6.dr	Static PE information: section name: .wxuh
Source: TAPI32.dll.6.dr	Static PE information: section name: .fsdfq
Source: TAPI32.dll.6.dr	Static PE information: section name: .xxlo
Source: TAPI32.dll.6.dr	Static PE information: section name: .hcxtgl
Source: TAPI32.dll.6.dr	Static PE information: section name: .owbx
Source: TAPI32.dll.6.dr	Static PE information: section name: .phg
Source: TAPI32.dll.6.dr	Static PE information: section name: .trmoj
Source: TAPI32.dll.6.dr	Static PE information: section name: .zaixaf
Source: TAPI32.dll.6.dr	Static PE information: section name: .myzf
Source: TAPI32.dll.6.dr	Static PE information: section name: .shcm

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66032BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

22_2_00007FF66032BEA0

PE file contains an invalid checksum

Source: Secur32.dll.6.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1dca59
Source: TAPI32.dll.6.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x1e59ee
Source: 2JlIMkLNXh.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x1e406b

Binary contains a suspicious time stamp

Source: mstsc.exe.6.dr

Static PE information: 0xB359C414 [Fri May 8 10:36:04 2065 UTC]

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\YTBx\TAPI32.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fJxx4Zu\Secur32.dll			Jump to dropped file

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GU

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GU

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603239A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,		22_2_00007FF6603239A0
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,		22_2_00007FF66031F5A4
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66039C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,		22_2_00007FF66039C560
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031CE48 IsIconic,GetWindowPlacement,GetLastError,		22_2_00007FF66031CE48
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660319A6C IsIconic,GetWindowPlacement,GetWindowRect,		22_2_00007FF660319A6C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF66031CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,		22_2_00007FF66031CF28
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660321B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,		22_2_00007FF660321B44
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660322F5C IsWindowVisible,IsIconic,		22_2_00007FF660322F5C
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660322884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,		22_2_00007FF660322884
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF6603204F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,		22_2_00007FF6603204F8

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to query system information

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

1_2_000000014005C340

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

1_2_000000014005D290

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 0000001C.00000003.478164779.0000000008602000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B1
Source: explorer.exe, 0000001C.00000002.789331719.0000000008516000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001C.00000002.787223635.00000000082AD000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001C.00000003.458285250.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001C.00000003.468597864.0000000008588000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}GONSERV
Source: explorer.exe, 0000001C.00000003.456622279.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}esgZ
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.456244015.0000000008516000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.252365474.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.285201603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f
Source: explorer.exe, 0000001C.00000002.787223635.00000000082AD000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}indows.Cortana_cw5n1h2txyewB
Source: explorer.exe, 0000001C.00000003.458285250.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:&
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.478182163.0000000008605000.00000004.00000001.sdmp	Binary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e`~
Source: explorer.exe, 00000006.00000000.285663277.0000000008A9D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}::
Source: explorer.exe, 0000001C.00000003.411015605.0000000006AFC000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}escriptionGIf p
Source: explorer.exe, 0000001C.00000003.466074498.0000000008456000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 00000006.00000000.285201603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000001C.00000003.707002128.0000000006A87000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dh
Source: explorer.exe, 0000001C.00000003.709433811.00000000082D3000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: explorer.exe, 0000001C.00000003.477096819.0000000008594000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 032: "33"
Source: explorer.exe, 0000001C.00000003.469308444.0000000008453000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bx
Source: explorer.exe, 0000001C.00000003.713931534.00000000082DC000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001C.00000002.799922387.000000000EA40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: explorer.exe, 0000001C.00000003.705969758.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bj
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.467430701.0000000008458000.00000004.00000001.sdmp	Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 0000001C.00000003.459210102.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.477081008.0000000008589000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BC_C
Source: explorer.exe, 0000001C.00000003.477013843.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
Source: explorer.exe, 0000001C.00000003.707591229.000000000EA9C000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000001C.00000003.459210102.0000000006B27000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9:b
Source: explorer.exe, 0000001C.00000003.707657930.00000000082D2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BY
Source: explorer.exe, 0000001C.00000003.708597221.0000000006B78000.00000004.00000001.sdmp	Binary or memory string: 2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001C.00000003.468687386.0000000008450000.00000004.00000001.sdmp	Binary or memory string: 11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563q
Source: explorer.exe, 0000001C.00000002.783735126.0000000006A87000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 0000001C.00000003.713873275.0000000006B7A000.00000004.00000001.sdmp	Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.478451454.0000000008602000.00000004.00000001.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bj
Source: explorer.exe, 0000001C.00000003.707566012.000000000EA94000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lesPSM
Source: explorer.exe, 0000001C.00000003.455188887.00000000084EE000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ProgramN
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ows\Sys
Source: explorer.exe, 00000006.00000000.255467881.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000001C.00000003.466988755.00000000085F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B|
Source: explorer.exe, 0000001C.00000003.705432808.000000000EA41000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}am File
Source: explorer.exe, 0000001C.00000002.787930036.00000000083C3000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66032BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

22_2_00007FF66032BEA0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

1_2_0000000140048AC0

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Code function: 22_2_00007FF660432264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_00007FF660432264
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B2330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		26_2_00007FF6193B2330
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Code function: 26_2_00007FF6193B2530 SetUnhandledExceptionFilter,		26_2_00007FF6193B2530

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: Secur32.dll.6.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2JlIMkLNXh.dll',#1

Jump to behavior

Contains functionality to create a new security descriptor

Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe

Code function: 26_2_00007FF6193B1618 HeapSetInformation,GetModuleHandleW,LoadStringW,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetCommandLineW,

26_2_00007FF6193B1618

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000001C.00000002.772768256.0000000000A37000.00000004.00000020.sdmp	Binary or memory string: Progmanrogram File
Source: explorer.exe, 00000006.00000000.276761829.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.782481746.0000000004FA0000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.782481746.0000000004FA0000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.294598051.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.252570981.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.776559903.0000000001180000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001C.00000003.402079483.00000000044C4000.00000004.00000001.sdmp	Binary or memory string: ProgmanaY
Source: explorer.exe, 0000001C.00000002.780622795.0000000004440000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd*
Source: explorer.exe, 0000001C.00000002.776559903.0000000001180000.00000002.00020000.sdmp	Binary or memory string: ZProgram Manageri

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\YTBx\tcmsetup.exe	Queries volume information: unknown VolumeInformation			Jump to behavior

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66041D15C GetSystemTime,SystemTimeToFileTime,EventActivityIdControl,

22_2_00007FF66041D15C

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\fJxx4Zu\mstsc.exe

Code function: 22_2_00007FF66042F5EC memset,GetVersionExW,GetVersionExW,

22_2_00007FF66042F5EC

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: explorer.exe, 0000001C.00000003.449554775.0000000008433000.00000004.00000001.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe