Windows Analysis Report 1zdJLxxTnh

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1zdJLxxTnh.dll	Metadefender: Detection: 62%			Perma Link
Source: 1zdJLxxTnh.dll	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Source: 1zdJLxxTnh.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\94LPZAU0\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\hJiut\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\nPqx0Ph\DUser.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\cp4nWp\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\94LPZAU0\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\hJiut\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\nPqx0Ph\DUser.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cp4nWp\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA2CA0 BCryptOpenAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,		22_2_00007FF7A3CA2CA0
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CACC10 BCryptGenRandom,memcpy,BCryptEncrypt,memcpy,BCryptEncrypt,		22_2_00007FF7A3CACC10
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA2E8C BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,CoTaskMemFree,		22_2_00007FF7A3CA2E8C
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CACE10 memset,memcpy,BCryptEncrypt,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,		22_2_00007FF7A3CACE10
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA2A04 BCryptDecrypt,memset,BCryptDecrypt,memcpy,BCryptDestroyKey,BCryptCloseAlgorithmProvider,CoTaskMemFree,		22_2_00007FF7A3CA2A04

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1zdJLxxTnh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000016.00000002.405012990.00007FF7A3CB2000.00000002.00020000.sdmp, ProximityUxHost.exe.8.dr
Source:	Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000024.00000002.493551175.00007FF6A5E0B000.00000002.00020000.sdmp, WindowsActionDialog.exe.8.dr
Source:	Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000021.00000002.461103553.00007FF67936A000.00000002.00020000.sdmp, sessionmsg.exe.8.dr
Source:	Binary string: irftp.pdbGCTL source: irftp.exe, 0000001C.00000002.431900352.00007FF7EDB65000.00000002.00020000.sdmp, irftp.exe, 00000026.00000000.510674509.00007FF65A355000.00000002.00020000.sdmp, irftp.exe0.8.dr
Source:	Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe.8.dr
Source:	Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000021.00000002.461103553.00007FF67936A000.00000002.00020000.sdmp, sessionmsg.exe.8.dr
Source:	Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000024.00000002.493551175.00007FF6A5E0B000.00000002.00020000.sdmp, WindowsActionDialog.exe.8.dr
Source:	Binary string: PresentationHost.pdb source: PresentationHost.exe.8.dr
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.8.dr
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.8.dr
Source:	Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000016.00000002.405012990.00007FF7A3CB2000.00000002.00020000.sdmp, ProximityUxHost.exe.8.dr
Source:	Binary string: irftp.pdb source: irftp.exe, 0000001C.00000002.431900352.00007FF7EDB65000.00000002.00020000.sdmp, irftp.exe, 00000026.00000000.510674509.00007FF65A355000.00000002.00020000.sdmp, irftp.exe0.8.dr

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,		0_2_000000014005D290
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,		28_2_00007FF7EDB5B908
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose,		28_2_00007FF7EDB5C018
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose,		38_2_00007FF65A34C018
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,		38_2_00007FF65A34B908

Networking:

Contains functionality to download additional files from the internet

Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe

Code function: 28_2_00007FF7EDB5A6E8 select,recv,GetLastError,select,

28_2_00007FF7EDB5A6E8

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000000.00000002.304569547.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.289547097.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.365405591.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.296819494.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.491095361.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.459843217.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.283056136.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.430835734.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.402800394.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.532861365.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870		0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270		0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0		0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340		0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80		0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0		0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0		0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0		0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40		0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0		0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30		0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010		0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010		0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020		0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840		0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850		0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080		0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880		0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0		0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0		0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0		0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100		0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100		0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110		0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910		0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120		0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120		0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940		0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140		0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140		0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950		0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170		0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980		0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0		0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0		0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0		0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0		0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0		0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0		0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00		0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00		0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220		0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40		0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50		0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60		0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0		0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0		0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00		0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300		0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20		0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340		0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340		0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40		0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40		0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60		0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370		0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80		0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390		0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0		0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0		0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0		0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0		0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0		0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0		0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0		0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B		0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424		0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D		0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436		0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D		0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440		0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40		0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446		0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490		0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00		0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520		0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20		0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530		0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530		0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540		0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540		0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50		0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570		0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580		0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0		0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0		0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0		0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0		0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0		0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0		0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0		0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620		0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630		0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650		0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80		0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80		0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0		0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0		0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0		0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0		0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0		0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0		0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0		0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20		0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730		0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780		0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80		0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0		0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0		0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0		0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0		0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CAA8E0		22_2_00007FF7A3CAA8E0
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C8F0B4		22_2_00007FF7A3C8F0B4
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C9ECB8		22_2_00007FF7A3C9ECB8
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C8B868		22_2_00007FF7A3C8B868
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C91018		22_2_00007FF7A3C91018
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C98408		22_2_00007FF7A3C98408
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA7400		22_2_00007FF7A3CA7400
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA0800		22_2_00007FF7A3CA0800
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C9CF68		22_2_00007FF7A3C9CF68
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA9F38		22_2_00007FF7A3CA9F38
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C85B08		22_2_00007FF7A3C85B08
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CAD6B0		22_2_00007FF7A3CAD6B0
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C992C0		22_2_00007FF7A3C992C0
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CAB260		22_2_00007FF7A3CAB260
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C99A7C		22_2_00007FF7A3C99A7C
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C945BC		22_2_00007FF7A3C945BC
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA4960		22_2_00007FF7A3CA4960
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C94158		22_2_00007FF7A3C94158
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CA9530		22_2_00007FF7A3CA9530
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C8913C		22_2_00007FF7A3C8913C
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5E264		28_2_00007FF7EDB5E264
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB57A6C		28_2_00007FF7EDB57A6C
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5F0E0		28_2_00007FF7EDB5F0E0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB59104		28_2_00007FF7EDB59104
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB61CB0		28_2_00007FF7EDB61CB0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB53C70		28_2_00007FF7EDB53C70
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB54890		28_2_00007FF7EDB54890
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB58C24		28_2_00007FF7EDB58C24
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB573E0		28_2_00007FF7EDB573E0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB527C4		28_2_00007FF7EDB527C4
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB57770		28_2_00007FF7EDB57770
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5534C		28_2_00007FF7EDB5534C
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679361E94		33_2_00007FF679361E94
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF6793644E0		33_2_00007FF6793644E0
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679361778		33_2_00007FF679361778
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679363B58		33_2_00007FF679363B58
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679363168		33_2_00007FF679363168
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679364A20		33_2_00007FF679364A20
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Code function: 36_2_00007FF6A5E046D8		36_2_00007FF6A5E046D8
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Code function: 36_2_00007FF6A5E03E8C		36_2_00007FF6A5E03E8C
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34534C		38_2_00007FF65A34534C
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A347770		38_2_00007FF65A347770
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A348C24		38_2_00007FF65A348C24
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A3427C4		38_2_00007FF65A3427C4
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A3473E0		38_2_00007FF65A3473E0
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A344890		38_2_00007FF65A344890
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A351CB0		38_2_00007FF65A351CB0
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A343C70		38_2_00007FF65A343C70
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A349104		38_2_00007FF65A349104
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34F0E0		38_2_00007FF65A34F0E0
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34E264		38_2_00007FF65A34E264
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A347A6C		38_2_00007FF65A347A6C

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,		0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,		0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB585A0 RtlInitUnicodeString,NtCreateFile,SetWaitableTimer,socket,CancelIo,CloseHandle,NtDeviceIoControlFile,closesocket,CancelIo,CloseHandle,SetWaitableTimer,NtDeviceIoControlFile,		28_2_00007FF7EDB585A0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB58994 NtDeviceIoControlFile,WaitForSingleObject,memset,MultiByteToWideChar,lstrlenW,Sleep,memset,		28_2_00007FF7EDB58994
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB58900 PostMessageW,NtDeviceIoControlFile,		28_2_00007FF7EDB58900
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB587B0 PostMessageW,NtDeviceIoControlFile,closesocket,CloseHandle,SetWaitableTimer,		28_2_00007FF7EDB587B0
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A3487B0 PostMessageW,NtDeviceIoControlFile,closesocket,CloseHandle,SetWaitableTimer,		38_2_00007FF65A3487B0
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A348900 PostMessageW,NtDeviceIoControlFile,		38_2_00007FF65A348900
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A348994 NtDeviceIoControlFile,WaitForSingleObject,memset,MultiByteToWideChar,lstrlenW,Sleep,memset,		38_2_00007FF65A348994
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A3485A0 RtlInitUnicodeString,NtCreateFile,SetWaitableTimer,socket,CancelIo,CloseHandle,NtDeviceIoControlFile,closesocket,CancelIo,CloseHandle,SetWaitableTimer,NtDeviceIoControlFile,		38_2_00007FF65A3485A0

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe

Code function: 28_2_00007FF7EDB585A0: RtlInitUnicodeString,NtCreateFile,SetWaitableTimer,socket,CancelIo,CloseHandle,NtDeviceIoControlFile,closesocket,CancelIo,CloseHandle,SetWaitableTimer,NtDeviceIoControlFile,

28_2_00007FF7EDB585A0

PE file contains executable resources (Code or Archives)

Source: irftp.exe.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: 1zdJLxxTnh.dll

Binary or memory string: OriginalFilenamekbdyj% vs 1zdJLxxTnh.dll

PE file contains strange resources

Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe0.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: DUI70.dll.8.dr	Static PE information: Number of sections : 36 > 10
Source: 1zdJLxxTnh.dll	Static PE information: Number of sections : 35 > 10
Source: DUI70.dll0.8.dr	Static PE information: Number of sections : 36 > 10
Source: DUI70.dll1.8.dr	Static PE information: Number of sections : 36 > 10
Source: WINMM.dll.8.dr	Static PE information: Number of sections : 36 > 10
Source: VERSION.dll.8.dr	Static PE information: Number of sections : 36 > 10
Source: DUser.dll.8.dr	Static PE information: Number of sections : 36 > 10
Source: MFC42u.dll.8.dr	Static PE information: Number of sections : 36 > 10

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: 1zdJLxxTnh.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUser.dll.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.8.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: 1zdJLxxTnh.dll	Metadefender: Detection: 62%
Source: 1zdJLxxTnh.dll	ReversingLabs: Detection: 77%

PE file has an executable .text section and no other executable section

Source: 1zdJLxxTnh.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe C:\Users\user\AppData\Local\94LPZAU0\irftp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hJiut\irftp.exe C:\Users\user\AppData\Local\hJiut\irftp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1zdJLxxTnh.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rstrui.exe C:\Windows\system32\rstrui.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe C:\Users\user\AppData\Local\94LPZAU0\irftp.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\hJiut\irftp.exe C:\Users\user\AppData\Local\hJiut\irftp.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: irftp.exe0.8.dr

Binary string: \Device\IrDAIrDA:TinyTP:LsapSelOBEX:IrXferOBEXControl Panel\InfraredControl Panel\Infrared\GlobalControl Panel\Infrared\IrTranPAllowSendShowTrayIconPlaySoundRecvdFilesLocationDisableIrTranPv1DisableIrCOMMExploreOnCompletionSaveAsUPFireventsIrMon: ReadUserPreferences::Failed to init sockets

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winDLL@44/15@0/0

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3C9C510 TlsGetValue,TlsSetValue,CoCreateInstance,LoadStringW,GetLastError,CoAddRefServerProcess,TlsGetValue,TlsSetValue,

22_2_00007FF7A3C9C510

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe

Code function: 28_2_00007FF7EDB5D8A0 GetDiskFreeSpaceExW,WideCharToMultiByte,SystemTimeToFileTime,GetLastError,DeregisterEventSource,

28_2_00007FF7EDB5D8A0

Contains functionality for error logging

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3C8D49C FormatMessageW,GetLastError,

22_2_00007FF7A3C8D49C

Runs a DLL by calling functions

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1

Creates mutexes

Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7fb3532d-2e0a-67b3-786e-e42cc8f8f32e}
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7252c30c-5638-f414-012b-360ce55d73af}

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3CA3AA0 FindResourceExW,LoadResource,LockResource,

22_2_00007FF7A3CA3AA0

PE file exports many functions

Source: 1zdJLxxTnh.dll

Static PE information: More than 4320 > 100 exports found

PE file has a high image base, often used for DLLs

Source: 1zdJLxxTnh.dll

Static PE information: Image base 0x140000000 > 0x60000000

Submission file is bigger than most known malware samples

Source: 1zdJLxxTnh.dll

Static file information: File size 2068480 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1zdJLxxTnh.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000016.00000002.405012990.00007FF7A3CB2000.00000002.00020000.sdmp, ProximityUxHost.exe.8.dr
Source:	Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000024.00000002.493551175.00007FF6A5E0B000.00000002.00020000.sdmp, WindowsActionDialog.exe.8.dr
Source:	Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000021.00000002.461103553.00007FF67936A000.00000002.00020000.sdmp, sessionmsg.exe.8.dr
Source:	Binary string: irftp.pdbGCTL source: irftp.exe, 0000001C.00000002.431900352.00007FF7EDB65000.00000002.00020000.sdmp, irftp.exe, 00000026.00000000.510674509.00007FF65A355000.00000002.00020000.sdmp, irftp.exe0.8.dr
Source:	Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe.8.dr
Source:	Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000021.00000002.461103553.00007FF67936A000.00000002.00020000.sdmp, sessionmsg.exe.8.dr
Source:	Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000024.00000002.493551175.00007FF6A5E0B000.00000002.00020000.sdmp, WindowsActionDialog.exe.8.dr
Source:	Binary string: PresentationHost.pdb source: PresentationHost.exe.8.dr
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.8.dr
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.8.dr
Source:	Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000016.00000002.405012990.00007FF7A3CB2000.00000002.00020000.sdmp, ProximityUxHost.exe.8.dr
Source:	Binary string: irftp.pdb source: irftp.exe, 0000001C.00000002.431900352.00007FF7EDB65000.00000002.00020000.sdmp, irftp.exe, 00000026.00000000.510674509.00007FF65A355000.00000002.00020000.sdmp, irftp.exe0.8.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: 1zdJLxxTnh.dll	Static PE information: section name: .qkm
Source: 1zdJLxxTnh.dll	Static PE information: section name: .cvjb
Source: 1zdJLxxTnh.dll	Static PE information: section name: .tlmkv
Source: 1zdJLxxTnh.dll	Static PE information: section name: .wucsxe
Source: 1zdJLxxTnh.dll	Static PE information: section name: .fltwtj
Source: 1zdJLxxTnh.dll	Static PE information: section name: .tblq
Source: 1zdJLxxTnh.dll	Static PE information: section name: .hcmjm
Source: 1zdJLxxTnh.dll	Static PE information: section name: .nagyk
Source: 1zdJLxxTnh.dll	Static PE information: section name: .jrucz
Source: 1zdJLxxTnh.dll	Static PE information: section name: .rnr
Source: 1zdJLxxTnh.dll	Static PE information: section name: .rdc
Source: 1zdJLxxTnh.dll	Static PE information: section name: .umrigl
Source: 1zdJLxxTnh.dll	Static PE information: section name: .nepl
Source: 1zdJLxxTnh.dll	Static PE information: section name: .akkqh
Source: 1zdJLxxTnh.dll	Static PE information: section name: .cvbwr
Source: 1zdJLxxTnh.dll	Static PE information: section name: .ftrk
Source: 1zdJLxxTnh.dll	Static PE information: section name: .ubbf
Source: 1zdJLxxTnh.dll	Static PE information: section name: .ulwqi
Source: 1zdJLxxTnh.dll	Static PE information: section name: .imcflb
Source: 1zdJLxxTnh.dll	Static PE information: section name: .hgmkm
Source: 1zdJLxxTnh.dll	Static PE information: section name: .cnoij
Source: 1zdJLxxTnh.dll	Static PE information: section name: .qgdv
Source: 1zdJLxxTnh.dll	Static PE information: section name: .hsbye
Source: 1zdJLxxTnh.dll	Static PE information: section name: .cdn
Source: 1zdJLxxTnh.dll	Static PE information: section name: .hte
Source: 1zdJLxxTnh.dll	Static PE information: section name: .vcnknm
Source: 1zdJLxxTnh.dll	Static PE information: section name: .thfe
Source: 1zdJLxxTnh.dll	Static PE information: section name: .tat
Source: 1zdJLxxTnh.dll	Static PE information: section name: .xqltbd
Source: ProximityUxHost.exe.8.dr	Static PE information: section name: .imrsiv
Source: sessionmsg.exe.8.dr	Static PE information: section name: .imrsiv
Source: WindowsActionDialog.exe.8.dr	Static PE information: section name: .imrsiv
Source: CameraSettingsUIHost.exe.8.dr	Static PE information: section name: .imrsiv
Source: DUI70.dll.8.dr	Static PE information: section name: .qkm
Source: DUI70.dll.8.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.8.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.8.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.8.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.8.dr	Static PE information: section name: .tblq
Source: DUI70.dll.8.dr	Static PE information: section name: .hcmjm
Source: DUI70.dll.8.dr	Static PE information: section name: .nagyk
Source: DUI70.dll.8.dr	Static PE information: section name: .jrucz
Source: DUI70.dll.8.dr	Static PE information: section name: .rnr
Source: DUI70.dll.8.dr	Static PE information: section name: .rdc
Source: DUI70.dll.8.dr	Static PE information: section name: .umrigl
Source: DUI70.dll.8.dr	Static PE information: section name: .nepl
Source: DUI70.dll.8.dr	Static PE information: section name: .akkqh
Source: DUI70.dll.8.dr	Static PE information: section name: .cvbwr
Source: DUI70.dll.8.dr	Static PE information: section name: .ftrk
Source: DUI70.dll.8.dr	Static PE information: section name: .ubbf
Source: DUI70.dll.8.dr	Static PE information: section name: .ulwqi
Source: DUI70.dll.8.dr	Static PE information: section name: .imcflb
Source: DUI70.dll.8.dr	Static PE information: section name: .hgmkm
Source: DUI70.dll.8.dr	Static PE information: section name: .cnoij
Source: DUI70.dll.8.dr	Static PE information: section name: .qgdv
Source: DUI70.dll.8.dr	Static PE information: section name: .hsbye
Source: DUI70.dll.8.dr	Static PE information: section name: .cdn
Source: DUI70.dll.8.dr	Static PE information: section name: .hte
Source: DUI70.dll.8.dr	Static PE information: section name: .vcnknm
Source: DUI70.dll.8.dr	Static PE information: section name: .thfe
Source: DUI70.dll.8.dr	Static PE information: section name: .tat
Source: DUI70.dll.8.dr	Static PE information: section name: .xqltbd
Source: DUI70.dll.8.dr	Static PE information: section name: .ypfdqp
Source: WINMM.dll.8.dr	Static PE information: section name: .qkm
Source: WINMM.dll.8.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.8.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.8.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.8.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.8.dr	Static PE information: section name: .tblq
Source: WINMM.dll.8.dr	Static PE information: section name: .hcmjm
Source: WINMM.dll.8.dr	Static PE information: section name: .nagyk
Source: WINMM.dll.8.dr	Static PE information: section name: .jrucz
Source: WINMM.dll.8.dr	Static PE information: section name: .rnr
Source: WINMM.dll.8.dr	Static PE information: section name: .rdc
Source: WINMM.dll.8.dr	Static PE information: section name: .umrigl
Source: WINMM.dll.8.dr	Static PE information: section name: .nepl
Source: WINMM.dll.8.dr	Static PE information: section name: .akkqh
Source: WINMM.dll.8.dr	Static PE information: section name: .cvbwr
Source: WINMM.dll.8.dr	Static PE information: section name: .ftrk
Source: WINMM.dll.8.dr	Static PE information: section name: .ubbf
Source: WINMM.dll.8.dr	Static PE information: section name: .ulwqi
Source: WINMM.dll.8.dr	Static PE information: section name: .imcflb
Source: WINMM.dll.8.dr	Static PE information: section name: .hgmkm
Source: WINMM.dll.8.dr	Static PE information: section name: .cnoij
Source: WINMM.dll.8.dr	Static PE information: section name: .qgdv
Source: WINMM.dll.8.dr	Static PE information: section name: .hsbye
Source: WINMM.dll.8.dr	Static PE information: section name: .cdn
Source: WINMM.dll.8.dr	Static PE information: section name: .hte
Source: WINMM.dll.8.dr	Static PE information: section name: .vcnknm
Source: WINMM.dll.8.dr	Static PE information: section name: .thfe
Source: WINMM.dll.8.dr	Static PE information: section name: .tat
Source: WINMM.dll.8.dr	Static PE information: section name: .xqltbd
Source: WINMM.dll.8.dr	Static PE information: section name: .nghj
Source: DUser.dll.8.dr	Static PE information: section name: .qkm
Source: DUser.dll.8.dr	Static PE information: section name: .cvjb
Source: DUser.dll.8.dr	Static PE information: section name: .tlmkv
Source: DUser.dll.8.dr	Static PE information: section name: .wucsxe
Source: DUser.dll.8.dr	Static PE information: section name: .fltwtj
Source: DUser.dll.8.dr	Static PE information: section name: .tblq
Source: DUser.dll.8.dr	Static PE information: section name: .hcmjm
Source: DUser.dll.8.dr	Static PE information: section name: .nagyk
Source: DUser.dll.8.dr	Static PE information: section name: .jrucz
Source: DUser.dll.8.dr	Static PE information: section name: .rnr
Source: DUser.dll.8.dr	Static PE information: section name: .rdc
Source: DUser.dll.8.dr	Static PE information: section name: .umrigl
Source: DUser.dll.8.dr	Static PE information: section name: .nepl
Source: DUser.dll.8.dr	Static PE information: section name: .akkqh
Source: DUser.dll.8.dr	Static PE information: section name: .cvbwr
Source: DUser.dll.8.dr	Static PE information: section name: .ftrk
Source: DUser.dll.8.dr	Static PE information: section name: .ubbf
Source: DUser.dll.8.dr	Static PE information: section name: .ulwqi
Source: DUser.dll.8.dr	Static PE information: section name: .imcflb
Source: DUser.dll.8.dr	Static PE information: section name: .hgmkm
Source: DUser.dll.8.dr	Static PE information: section name: .cnoij
Source: DUser.dll.8.dr	Static PE information: section name: .qgdv
Source: DUser.dll.8.dr	Static PE information: section name: .hsbye
Source: DUser.dll.8.dr	Static PE information: section name: .cdn
Source: DUser.dll.8.dr	Static PE information: section name: .hte
Source: DUser.dll.8.dr	Static PE information: section name: .vcnknm
Source: DUser.dll.8.dr	Static PE information: section name: .thfe
Source: DUser.dll.8.dr	Static PE information: section name: .tat
Source: DUser.dll.8.dr	Static PE information: section name: .xqltbd
Source: DUser.dll.8.dr	Static PE information: section name: .lebs
Source: DUI70.dll0.8.dr	Static PE information: section name: .qkm
Source: DUI70.dll0.8.dr	Static PE information: section name: .cvjb
Source: DUI70.dll0.8.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll0.8.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll0.8.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll0.8.dr	Static PE information: section name: .tblq
Source: DUI70.dll0.8.dr	Static PE information: section name: .hcmjm
Source: DUI70.dll0.8.dr	Static PE information: section name: .nagyk
Source: DUI70.dll0.8.dr	Static PE information: section name: .jrucz
Source: DUI70.dll0.8.dr	Static PE information: section name: .rnr
Source: DUI70.dll0.8.dr	Static PE information: section name: .rdc
Source: DUI70.dll0.8.dr	Static PE information: section name: .umrigl
Source: DUI70.dll0.8.dr	Static PE information: section name: .nepl
Source: DUI70.dll0.8.dr	Static PE information: section name: .akkqh
Source: DUI70.dll0.8.dr	Static PE information: section name: .cvbwr
Source: DUI70.dll0.8.dr	Static PE information: section name: .ftrk
Source: DUI70.dll0.8.dr	Static PE information: section name: .ubbf
Source: DUI70.dll0.8.dr	Static PE information: section name: .ulwqi
Source: DUI70.dll0.8.dr	Static PE information: section name: .imcflb
Source: DUI70.dll0.8.dr	Static PE information: section name: .hgmkm
Source: DUI70.dll0.8.dr	Static PE information: section name: .cnoij
Source: DUI70.dll0.8.dr	Static PE information: section name: .qgdv
Source: DUI70.dll0.8.dr	Static PE information: section name: .hsbye
Source: DUI70.dll0.8.dr	Static PE information: section name: .cdn
Source: DUI70.dll0.8.dr	Static PE information: section name: .hte
Source: DUI70.dll0.8.dr	Static PE information: section name: .vcnknm
Source: DUI70.dll0.8.dr	Static PE information: section name: .thfe
Source: DUI70.dll0.8.dr	Static PE information: section name: .tat
Source: DUI70.dll0.8.dr	Static PE information: section name: .xqltbd
Source: DUI70.dll0.8.dr	Static PE information: section name: .lzkq
Source: MFC42u.dll.8.dr	Static PE information: section name: .qkm
Source: MFC42u.dll.8.dr	Static PE information: section name: .cvjb
Source: MFC42u.dll.8.dr	Static PE information: section name: .tlmkv
Source: MFC42u.dll.8.dr	Static PE information: section name: .wucsxe
Source: MFC42u.dll.8.dr	Static PE information: section name: .fltwtj
Source: MFC42u.dll.8.dr	Static PE information: section name: .tblq
Source: MFC42u.dll.8.dr	Static PE information: section name: .hcmjm
Source: MFC42u.dll.8.dr	Static PE information: section name: .nagyk
Source: MFC42u.dll.8.dr	Static PE information: section name: .jrucz
Source: MFC42u.dll.8.dr	Static PE information: section name: .rnr
Source: MFC42u.dll.8.dr	Static PE information: section name: .rdc
Source: MFC42u.dll.8.dr	Static PE information: section name: .umrigl
Source: MFC42u.dll.8.dr	Static PE information: section name: .nepl
Source: MFC42u.dll.8.dr	Static PE information: section name: .akkqh
Source: MFC42u.dll.8.dr	Static PE information: section name: .cvbwr
Source: MFC42u.dll.8.dr	Static PE information: section name: .ftrk
Source: MFC42u.dll.8.dr	Static PE information: section name: .ubbf
Source: MFC42u.dll.8.dr	Static PE information: section name: .ulwqi
Source: MFC42u.dll.8.dr	Static PE information: section name: .imcflb
Source: MFC42u.dll.8.dr	Static PE information: section name: .hgmkm
Source: MFC42u.dll.8.dr	Static PE information: section name: .cnoij
Source: MFC42u.dll.8.dr	Static PE information: section name: .qgdv
Source: MFC42u.dll.8.dr	Static PE information: section name: .hsbye
Source: MFC42u.dll.8.dr	Static PE information: section name: .cdn
Source: MFC42u.dll.8.dr	Static PE information: section name: .hte
Source: MFC42u.dll.8.dr	Static PE information: section name: .vcnknm
Source: MFC42u.dll.8.dr	Static PE information: section name: .thfe
Source: MFC42u.dll.8.dr	Static PE information: section name: .tat
Source: MFC42u.dll.8.dr	Static PE information: section name: .xqltbd
Source: MFC42u.dll.8.dr	Static PE information: section name: .qhr
Source: VERSION.dll.8.dr	Static PE information: section name: .qkm
Source: VERSION.dll.8.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.8.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.8.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.8.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.8.dr	Static PE information: section name: .tblq
Source: VERSION.dll.8.dr	Static PE information: section name: .hcmjm
Source: VERSION.dll.8.dr	Static PE information: section name: .nagyk
Source: VERSION.dll.8.dr	Static PE information: section name: .jrucz
Source: VERSION.dll.8.dr	Static PE information: section name: .rnr
Source: VERSION.dll.8.dr	Static PE information: section name: .rdc
Source: VERSION.dll.8.dr	Static PE information: section name: .umrigl
Source: VERSION.dll.8.dr	Static PE information: section name: .nepl
Source: VERSION.dll.8.dr	Static PE information: section name: .akkqh
Source: VERSION.dll.8.dr	Static PE information: section name: .cvbwr
Source: VERSION.dll.8.dr	Static PE information: section name: .ftrk
Source: VERSION.dll.8.dr	Static PE information: section name: .ubbf
Source: VERSION.dll.8.dr	Static PE information: section name: .ulwqi
Source: VERSION.dll.8.dr	Static PE information: section name: .imcflb
Source: VERSION.dll.8.dr	Static PE information: section name: .hgmkm
Source: VERSION.dll.8.dr	Static PE information: section name: .cnoij
Source: VERSION.dll.8.dr	Static PE information: section name: .qgdv
Source: VERSION.dll.8.dr	Static PE information: section name: .hsbye
Source: VERSION.dll.8.dr	Static PE information: section name: .cdn
Source: VERSION.dll.8.dr	Static PE information: section name: .hte
Source: VERSION.dll.8.dr	Static PE information: section name: .vcnknm
Source: VERSION.dll.8.dr	Static PE information: section name: .thfe
Source: VERSION.dll.8.dr	Static PE information: section name: .tat
Source: VERSION.dll.8.dr	Static PE information: section name: .xqltbd
Source: VERSION.dll.8.dr	Static PE information: section name: .pwi
Source: DUI70.dll1.8.dr	Static PE information: section name: .qkm
Source: DUI70.dll1.8.dr	Static PE information: section name: .cvjb
Source: DUI70.dll1.8.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll1.8.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll1.8.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll1.8.dr	Static PE information: section name: .tblq
Source: DUI70.dll1.8.dr	Static PE information: section name: .hcmjm
Source: DUI70.dll1.8.dr	Static PE information: section name: .nagyk
Source: DUI70.dll1.8.dr	Static PE information: section name: .jrucz
Source: DUI70.dll1.8.dr	Static PE information: section name: .rnr
Source: DUI70.dll1.8.dr	Static PE information: section name: .rdc
Source: DUI70.dll1.8.dr	Static PE information: section name: .umrigl
Source: DUI70.dll1.8.dr	Static PE information: section name: .nepl
Source: DUI70.dll1.8.dr	Static PE information: section name: .akkqh
Source: DUI70.dll1.8.dr	Static PE information: section name: .cvbwr
Source: DUI70.dll1.8.dr	Static PE information: section name: .ftrk
Source: DUI70.dll1.8.dr	Static PE information: section name: .ubbf
Source: DUI70.dll1.8.dr	Static PE information: section name: .ulwqi
Source: DUI70.dll1.8.dr	Static PE information: section name: .imcflb
Source: DUI70.dll1.8.dr	Static PE information: section name: .hgmkm
Source: DUI70.dll1.8.dr	Static PE information: section name: .cnoij
Source: DUI70.dll1.8.dr	Static PE information: section name: .qgdv
Source: DUI70.dll1.8.dr	Static PE information: section name: .hsbye
Source: DUI70.dll1.8.dr	Static PE information: section name: .cdn
Source: DUI70.dll1.8.dr	Static PE information: section name: .hte
Source: DUI70.dll1.8.dr	Static PE information: section name: .vcnknm
Source: DUI70.dll1.8.dr	Static PE information: section name: .thfe
Source: DUI70.dll1.8.dr	Static PE information: section name: .tat
Source: DUI70.dll1.8.dr	Static PE information: section name: .xqltbd
Source: DUI70.dll1.8.dr	Static PE information: section name: .tvyui

PE file contains an invalid checksum

Source: DUI70.dll.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x24017f
Source: 1zdJLxxTnh.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x204ddc
Source: DUI70.dll0.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2499f9
Source: DUI70.dll1.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2443fc
Source: WINMM.dll.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2084b0
Source: VERSION.dll.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2058c8
Source: DUser.dll.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2056b9
Source: MFC42u.dll.8.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20b855

Binary contains a suspicious time stamp

Source: WindowsActionDialog.exe.8.dr

Static PE information: 0xBDD86903 [Sat Dec 6 07:28:03 2070 UTC]

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\94LPZAU0\WINMM.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\cp4nWp\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\XVzc21m9h\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\cp4nWp\PresentationHost.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fk8bXjSn\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hJiut\irftp.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\XVzc21m9h\CameraSettingsUIHost.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\buYWmbl3\DUI70.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\nPqx0Ph\DUser.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\hJiut\MFC42u.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cp4nWp\VERSION.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cp4nWp\PresentationHost.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\XVzc21m9h\CameraSettingsUIHost.exe			Jump to dropped file

Queries a list of all running processes

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to query system information

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,		0_2_000000014005D290
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,		28_2_00007FF7EDB5B908
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose,		28_2_00007FF7EDB5C018
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose,		38_2_00007FF65A34C018
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,		38_2_00007FF65A34B908

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000008.00000000.309714093.0000000008919000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.308851272.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.295042071.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000008.00000000.308851272.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000008.00000000.288081947.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.288081947.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000008.00000000.331363758.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: 63}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 00000008.00000000.283823557.0000000000B7D000.00000004.00000020.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1
Source: explorer.exe, 00000008.00000000.308851272.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3C88454 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

22_2_00007FF7A3C88454

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe

Code function: 33_2_00007FF6793672D0 GetLastError,_vsnprintf,OutputDebugStringA,SetLastError,

33_2_00007FF6793672D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3C944D4 GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,

22_2_00007FF7A3C944D4

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CB0740 SetUnhandledExceptionFilter,		22_2_00007FF7A3CB0740
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3CB09B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_00007FF7A3CB09B4
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB63498 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		28_2_00007FF7EDB63498
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB63840 SetUnhandledExceptionFilter,		28_2_00007FF7EDB63840
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679367E80 SetUnhandledExceptionFilter,		33_2_00007FF679367E80
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Code function: 33_2_00007FF679367AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		33_2_00007FF679367AA4
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Code function: 36_2_00007FF6A5E08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		36_2_00007FF6A5E08450
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Code function: 36_2_00007FF6A5E08750 SetUnhandledExceptionFilter,		36_2_00007FF6A5E08750
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A353498 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		38_2_00007FF65A353498
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A353840 SetUnhandledExceptionFilter,		38_2_00007FF65A353840

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.8.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1zdJLxxTnh.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000008.00000000.283813716.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000008.00000000.337845036.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.337845036.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.337845036.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.337845036.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.295042071.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nPqx0Ph\sessionmsg.exe	Queries volume information: unknown VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\buYWmbl3\WindowsActionDialog.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Queries volume information: unknown VolumeInformation

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe

Code function: 22_2_00007FF7A3CB08D0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

22_2_00007FF7A3CB08D0

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\fk8bXjSn\ProximityUxHost.exe	Code function: 22_2_00007FF7A3C9C8A0 TlsGetValue,TlsSetValue,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z,?AccessibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z,?_ZeroRelease@Value@DirectUI@@AEAAXXZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?GetClassInfoPtr@ModernProgressBar@DirectUI@@SAPEAUIClassInfo@2@XZ,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,TlsGetValue,TlsSetValue,		22_2_00007FF7A3C9C8A0
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5EE8C socket,WSAGetLastError,memset,setsockopt,WSAGetLastError,closesocket,setsockopt,memset,bind,listen,CreateIoCompletionPort,		28_2_00007FF7EDB5EE8C
Source: C:\Users\user\AppData\Local\94LPZAU0\irftp.exe	Code function: 28_2_00007FF7EDB5A078 WSAStartup,OpenFileMappingW,MapViewOfFile,CloseHandle,GetLastError,DbgPrint,lstrcmpA,WSASocketW,UnmapViewOfFile,WSAGetLastError,DbgPrint,socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,closesocket,		28_2_00007FF7EDB5A078
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34A078 WSAStartup,OpenFileMappingW,MapViewOfFile,CloseHandle,GetLastError,DbgPrint,lstrcmpA,WSASocketW,UnmapViewOfFile,WSAGetLastError,DbgPrint,socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,closesocket,		38_2_00007FF65A34A078
Source: C:\Users\user\AppData\Local\hJiut\irftp.exe	Code function: 38_2_00007FF65A34EE8C socket,WSAGetLastError,memset,setsockopt,WSAGetLastError,closesocket,setsockopt,memset,bind,listen,CreateIoCompletionPort,		38_2_00007FF65A34EE8C