Windows Analysis Report yWteP7e12z

Overview

General Information

Sample Name: yWteP7e12z (renamed file extension from none to dll)
Analysis ID: 492789
MD5: a75be08d11b5028b6e0fa8be59676599
SHA1: c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256: 7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: yWteP7e12z.dll Virustotal: Detection: 64% Perma Link
Source: yWteP7e12z.dll ReversingLabs: Detection: 77%
Antivirus / Scanner detection for submitted sample
Source: yWteP7e12z.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: yWteP7e12z.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 26_2_00007FF74E11E7CC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11E3A0 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString, 26_2_00007FF74E11E3A0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11E530 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError, 26_2_00007FF74E11E530
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11CDC8 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,??3@YAXPEAX@Z, 26_2_00007FF74E11CDC8
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11DE38 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError, 26_2_00007FF74E11DE38
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11E22C CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free, 26_2_00007FF74E11E22C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479B90 CryptGenRandom,GetLastError, 32_2_00007FF791479B90
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479520 CryptReleaseContext, 32_2_00007FF791479520
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479F20 CryptAcquireContextW,GetLastError, 32_2_00007FF791479F20
Source: yWteP7e12z.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source: Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source: Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source: Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 37_2_00007FF6E892D4A0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B612AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC, 34_2_00007FF67B612AE8
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D0437A8 OpenClipboard,GetLastError, 19_2_00007FF73D0437A8

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 26_2_00007FF74E11E7CC

System Summary:

barindex
PE file contains section with special chars
Source: SppExtComObj.Exe.5.dr Static PE information: section name: ?g_Encry
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007EA0 0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006EB0 0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400276C0 0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FEC0 0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EED0 0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B6E0 0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053F20 0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022730 0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029780 0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018F80 0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003EFB0 0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400067B0 0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400667D0 0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060FE0 0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D058A64 19_2_00007FF73D058A64
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04AE80 19_2_00007FF73D04AE80
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D045EBC 19_2_00007FF73D045EBC
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D048D50 19_2_00007FF73D048D50
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D049978 19_2_00007FF73D049978
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D0539A8 19_2_00007FF73D0539A8
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D054598 19_2_00007FF73D054598
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D0429F4 19_2_00007FF73D0429F4
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D041600 19_2_00007FF73D041600
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D05C470 19_2_00007FF73D05C470
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D06EC80 19_2_00007FF73D06EC80
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D0458C0 19_2_00007FF73D0458C0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04250C 19_2_00007FF73D04250C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D05EF38 19_2_00007FF73D05EF38
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D049338 19_2_00007FF73D049338
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D041F60 19_2_00007FF73D041F60
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04EB98 19_2_00007FF73D04EB98
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D05F3CC 19_2_00007FF73D05F3CC
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D059008 19_2_00007FF73D059008
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D055FF8 19_2_00007FF73D055FF8
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E119740 26_2_00007FF74E119740
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E111FA4 26_2_00007FF74E111FA4
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E1177B4 26_2_00007FF74E1177B4
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E117008 26_2_00007FF74E117008
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E1183E0 26_2_00007FF74E1183E0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11C87C 26_2_00007FF74E11C87C
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11B4DC 26_2_00007FF74E11B4DC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11BD30 26_2_00007FF74E11BD30
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11A9AC 26_2_00007FF74E11A9AC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E119DAC 26_2_00007FF74E119DAC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E112A08 26_2_00007FF74E112A08
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11D2B0 26_2_00007FF74E11D2B0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11A2EC 26_2_00007FF74E11A2EC
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Code function: 28_2_00007FF7409826A0 28_2_00007FF7409826A0
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Code function: 28_2_00007FF74098236C 28_2_00007FF74098236C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146CA30 32_2_00007FF79146CA30
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146BB70 32_2_00007FF79146BB70
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146B3B0 32_2_00007FF79146B3B0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146C690 32_2_00007FF79146C690
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146CE10 32_2_00007FF79146CE10
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146B7A0 32_2_00007FF79146B7A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B62DC68 34_2_00007FF67B62DC68
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B64FD30 34_2_00007FF67B64FD30
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B691D00 34_2_00007FF67B691D00
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B645CD8 34_2_00007FF67B645CD8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B5F7B78 34_2_00007FF67B5F7B78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B63BB7C 34_2_00007FF67B63BB7C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67FC30 34_2_00007FF67B67FC30
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6C5BB8 34_2_00007FF67B6C5BB8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B647BC0 34_2_00007FF67B647BC0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B621A98 34_2_00007FF67B621A98
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B5A90 34_2_00007FF67B6B5A90
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B695A78 34_2_00007FF67B695A78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6ABA68 34_2_00007FF67B6ABA68
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B665AFC 34_2_00007FF67B665AFC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B601AF0 34_2_00007FF67B601AF0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6499A0 34_2_00007FF67B6499A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6AD9F4 34_2_00007FF67B6AD9F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6520B4 34_2_00007FF67B6520B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B68003C 34_2_00007FF67B68003C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B011C 34_2_00007FF67B6B011C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B5FE0FC 34_2_00007FF67B5FE0FC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B64A0E0 34_2_00007FF67B64A0E0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B6020 34_2_00007FF67B6B6020
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B699FC8 34_2_00007FF67B699FC8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B64BFB8 34_2_00007FF67B64BFB8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B1EA0 34_2_00007FF67B6B1EA0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B66DE58 34_2_00007FF67B66DE58
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6A5E48 34_2_00007FF67B6A5E48
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B69FE18 34_2_00007FF67B69FE18
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6A94B4 34_2_00007FF67B6A94B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67D490 34_2_00007FF67B67D490
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B673510 34_2_00007FF67B673510
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6AD4D8 34_2_00007FF67B6AD4D8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6174B8 34_2_00007FF67B6174B8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6454BC 34_2_00007FF67B6454BC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6A33A0 34_2_00007FF67B6A33A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B5FF35C 34_2_00007FF67B5FF35C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B63D310 34_2_00007FF67B63D310
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B63731C 34_2_00007FF67B63731C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B631320 34_2_00007FF67B631320
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B61D2F8 34_2_00007FF67B61D2F8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6A52C0 34_2_00007FF67B6A52C0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6032CC 34_2_00007FF67B6032CC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B11B4 34_2_00007FF67B6B11B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67F18C 34_2_00007FF67B67F18C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67B140 34_2_00007FF67B67B140
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6C31F0 34_2_00007FF67B6C31F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B5F4E60 34_2_00007FF67B5F4E60
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B65D1C0 34_2_00007FF67B65D1C0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B605930 34_2_00007FF67B605930
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B633910 34_2_00007FF67B633910
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B69B78C 34_2_00007FF67B69B78C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B61976C 34_2_00007FF67B61976C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B175C 34_2_00007FF67B6B175C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B63773C 34_2_00007FF67B63773C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67D820 34_2_00007FF67B67D820
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6957D8 34_2_00007FF67B6957D8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6BD7D0 34_2_00007FF67B6BD7D0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B65171C 34_2_00007FF67B65171C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B639590 34_2_00007FF67B639590
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B64B610 34_2_00007FF67B64B610
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B65D5F4 34_2_00007FF67B65D5F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67AC70 34_2_00007FF67B67AC70
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B664D18 34_2_00007FF67B664D18
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B60AB3C 34_2_00007FF67B60AB3C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B61AB44 34_2_00007FF67B61AB44
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B65CBE8 34_2_00007FF67B65CBE8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B602A84 34_2_00007FF67B602A84
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B644A8C 34_2_00007FF67B644A8C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B646940 34_2_00007FF67B646940
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B638A0C 34_2_00007FF67B638A0C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B69A9D0 34_2_00007FF67B69A9D0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B65504C 34_2_00007FF67B65504C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B698FA0 34_2_00007FF67B698FA0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B624F80 34_2_00007FF67B624F80
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B630F54 34_2_00007FF67B630F54
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B61D034 34_2_00007FF67B61D034
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B664FFC 34_2_00007FF67B664FFC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B687000 34_2_00007FF67B687000
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B68CE54 34_2_00007FF67B68CE54
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B68AD78 34_2_00007FF67B68AD78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B620D50 34_2_00007FF67B620D50
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B67CD50 34_2_00007FF67B67CD50
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B692E28 34_2_00007FF67B692E28
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6B0E08 34_2_00007FF67B6B0E08
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B632498 34_2_00007FF67B632498
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6BC464 34_2_00007FF67B6BC464
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B66E510 34_2_00007FF67B66E510
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B60C4F4 34_2_00007FF67B60C4F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B5F84E8 34_2_00007FF67B5F84E8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B64A340 34_2_00007FF67B64A340
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B686428 34_2_00007FF67B686428
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B68C3F0 34_2_00007FF67B68C3F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B60A3F0 34_2_00007FF67B60A3F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6463C8 34_2_00007FF67B6463C8
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E89321C4 37_2_00007FF6E89321C4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8931A34 37_2_00007FF6E8931A34
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8925A34 37_2_00007FF6E8925A34
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8926954 37_2_00007FF6E8926954
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E89291AC 37_2_00007FF6E89291AC
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8927B1C 37_2_00007FF6E8927B1C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892AE8C 37_2_00007FF6E892AE8C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8930A94 37_2_00007FF6E8930A94
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E893340C 37_2_00007FF6E893340C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8931F68 37_2_00007FF6E8931F68
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8928348 37_2_00007FF6E8928348
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E89234D8 37_2_00007FF6E89234D8
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8931C9C 37_2_00007FF6E8931C9C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E89314A0 37_2_00007FF6E89314A0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D62134 41_2_00007FF6E6D62134
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D64500 41_2_00007FF6E6D64500
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D638D0 41_2_00007FF6E6D638D0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D62A9C 41_2_00007FF6E6D62A9C
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D64D78 41_2_00007FF6E6D64D78
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D63F74 41_2_00007FF6E6D63F74
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: String function: 00007FF67B5F3240 appears 37 times
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: String function: 00007FF73D061454 appears 227 times
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: String function: 00007FF74E11FA1C appears 106 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF7914751E0 OpenEventW,NtQuerySystemInformation, 32_2_00007FF7914751E0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480C90 NtQuerySystemInformation, 32_2_00007FF791480C90
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479440 NtQuerySystemInformation, 32_2_00007FF791479440
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480CE0 NtQuerySystemInformation, 32_2_00007FF791480CE0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479E57 NtQuerySystemInformation, 32_2_00007FF791479E57
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479EA0 NtQuerySystemInformation, 32_2_00007FF791479EA0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479E13 NtQuerySystemInformation, 32_2_00007FF791479E13
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480820 NtQuerySystemInformation, 32_2_00007FF791480820
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79147676C NtQuerySystemInformation, 32_2_00007FF79147676C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480780 NtQuerySystemInformation, 32_2_00007FF791480780
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480721 NtQuerySystemInformation, 32_2_00007FF791480721
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79147679C NtQuerySystemInformation, 32_2_00007FF79147679C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791480FA0 NtQuerySystemInformation, 32_2_00007FF791480FA0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF7914807D0 NtQuerySystemInformation, 32_2_00007FF7914807D0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A, 37_2_00007FF6E892AE00
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage, 37_2_00007FF6E892AC78
PE file contains strange resources
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: yWteP7e12z.dll Static PE information: Number of sections : 40 > 10
Source: ACTIVEDS.dll.5.dr Static PE information: Number of sections : 41 > 10
Source: WTSAPI32.dll.5.dr Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll1.5.dr Static PE information: Number of sections : 41 > 10
Source: VERSION.dll.5.dr Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll1.5.dr Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll0.5.dr Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll.5.dr Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll0.5.dr Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll.5.dr Static PE information: Number of sections : 41 > 10
Source: WTSAPI32.dll0.5.dr Static PE information: Number of sections : 41 > 10
Source: yWteP7e12z.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll1.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yWteP7e12z.dll Virustotal: Detection: 64%
Source: yWteP7e12z.dll ReversingLabs: Detection: 77%
Source: yWteP7e12z.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@49/21@0/0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D057E20 CoCreateInstance, 19_2_00007FF73D057E20
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8926954 FormatMessageW,GetLastError,WideCharToMultiByte,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree, 37_2_00007FF6E8926954
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle, 41_2_00007FF6E6D664A0
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Mutant created: \Sessions\1\BaseNamedObjects\{169aafc0-b674-dc63-e06b-2eae4586757b}
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Mutant created: \Sessions\1\BaseNamedObjects\{25f30cca-9195-545a-ce6a-753d20cd2cd4}
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04C9A0 LoadResource,LockResource,SizeofResource, 19_2_00007FF73D04C9A0
Source: SppExtComObj.Exe String found in binary or memory: msSPP-InstallationId
Source: yWteP7e12z.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: yWteP7e12z.dll Static file information: File size 2105344 > 1048576
Source: yWteP7e12z.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source: Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source: Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source: Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791478A2E push rax; iretd 32_2_00007FF791478A35
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479AB9 push rsi; retf 32_2_00007FF791479ABA
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF7914791EA push 6826517Ch; retf 32_2_00007FF7914791F5
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF791479B37 push rcx; ret 32_2_00007FF791479B38
PE file contains sections with non-standard names
Source: yWteP7e12z.dll Static PE information: section name: .qkm
Source: yWteP7e12z.dll Static PE information: section name: .cvjb
Source: yWteP7e12z.dll Static PE information: section name: .tlmkv
Source: yWteP7e12z.dll Static PE information: section name: .wucsxe
Source: yWteP7e12z.dll Static PE information: section name: .fltwtj
Source: yWteP7e12z.dll Static PE information: section name: .sfplio
Source: yWteP7e12z.dll Static PE information: section name: .rpg
Source: yWteP7e12z.dll Static PE information: section name: .bewzc
Source: yWteP7e12z.dll Static PE information: section name: .vksvaw
Source: yWteP7e12z.dll Static PE information: section name: .wmhg
Source: yWteP7e12z.dll Static PE information: section name: .kswemc
Source: yWteP7e12z.dll Static PE information: section name: .kaxfk
Source: yWteP7e12z.dll Static PE information: section name: .wualk
Source: yWteP7e12z.dll Static PE information: section name: .qwqp
Source: yWteP7e12z.dll Static PE information: section name: .txp
Source: yWteP7e12z.dll Static PE information: section name: .ezxpm
Source: yWteP7e12z.dll Static PE information: section name: .kdkmc
Source: yWteP7e12z.dll Static PE information: section name: .vwqjj
Source: yWteP7e12z.dll Static PE information: section name: .ute
Source: yWteP7e12z.dll Static PE information: section name: .hzotrb
Source: yWteP7e12z.dll Static PE information: section name: .mkb
Source: yWteP7e12z.dll Static PE information: section name: .plbi
Source: yWteP7e12z.dll Static PE information: section name: .dmwl
Source: yWteP7e12z.dll Static PE information: section name: .qorltm
Source: yWteP7e12z.dll Static PE information: section name: .ubg
Source: yWteP7e12z.dll Static PE information: section name: .lhm
Source: yWteP7e12z.dll Static PE information: section name: .wojiyd
Source: yWteP7e12z.dll Static PE information: section name: .ekv
Source: yWteP7e12z.dll Static PE information: section name: .vmf
Source: yWteP7e12z.dll Static PE information: section name: .rqv
Source: yWteP7e12z.dll Static PE information: section name: .rseab
Source: yWteP7e12z.dll Static PE information: section name: .pxtlo
Source: yWteP7e12z.dll Static PE information: section name: .nri
Source: yWteP7e12z.dll Static PE information: section name: .fcbpa
Source: raserver.exe.5.dr Static PE information: section name: .didat
Source: WMPDMC.exe.5.dr Static PE information: section name: .didat
Source: MusNotifyIcon.exe.5.dr Static PE information: section name: .didat
Source: OLEACC.dll.5.dr Static PE information: section name: .qkm
Source: OLEACC.dll.5.dr Static PE information: section name: .cvjb
Source: OLEACC.dll.5.dr Static PE information: section name: .tlmkv
Source: OLEACC.dll.5.dr Static PE information: section name: .wucsxe
Source: OLEACC.dll.5.dr Static PE information: section name: .fltwtj
Source: OLEACC.dll.5.dr Static PE information: section name: .sfplio
Source: OLEACC.dll.5.dr Static PE information: section name: .rpg
Source: OLEACC.dll.5.dr Static PE information: section name: .bewzc
Source: OLEACC.dll.5.dr Static PE information: section name: .vksvaw
Source: OLEACC.dll.5.dr Static PE information: section name: .wmhg
Source: OLEACC.dll.5.dr Static PE information: section name: .kswemc
Source: OLEACC.dll.5.dr Static PE information: section name: .kaxfk
Source: OLEACC.dll.5.dr Static PE information: section name: .wualk
Source: OLEACC.dll.5.dr Static PE information: section name: .qwqp
Source: OLEACC.dll.5.dr Static PE information: section name: .txp
Source: OLEACC.dll.5.dr Static PE information: section name: .ezxpm
Source: OLEACC.dll.5.dr Static PE information: section name: .kdkmc
Source: OLEACC.dll.5.dr Static PE information: section name: .vwqjj
Source: OLEACC.dll.5.dr Static PE information: section name: .ute
Source: OLEACC.dll.5.dr Static PE information: section name: .hzotrb
Source: OLEACC.dll.5.dr Static PE information: section name: .mkb
Source: OLEACC.dll.5.dr Static PE information: section name: .plbi
Source: OLEACC.dll.5.dr Static PE information: section name: .dmwl
Source: OLEACC.dll.5.dr Static PE information: section name: .qorltm
Source: OLEACC.dll.5.dr Static PE information: section name: .ubg
Source: OLEACC.dll.5.dr Static PE information: section name: .lhm
Source: OLEACC.dll.5.dr Static PE information: section name: .wojiyd
Source: OLEACC.dll.5.dr Static PE information: section name: .ekv
Source: OLEACC.dll.5.dr Static PE information: section name: .vmf
Source: OLEACC.dll.5.dr Static PE information: section name: .rqv
Source: OLEACC.dll.5.dr Static PE information: section name: .rseab
Source: OLEACC.dll.5.dr Static PE information: section name: .pxtlo
Source: OLEACC.dll.5.dr Static PE information: section name: .nri
Source: OLEACC.dll.5.dr Static PE information: section name: .fcbpa
Source: OLEACC.dll.5.dr Static PE information: section name: .ciqu
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.5.dr Static PE information: section name: .sfplio
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rpg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .bewzc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wmhg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kswemc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wualk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qwqp
Source: WTSAPI32.dll.5.dr Static PE information: section name: .txp
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ezxpm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kdkmc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .vwqjj
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ute
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hzotrb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .mkb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .plbi
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dmwl
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qorltm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ubg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .lhm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wojiyd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ekv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .vmf
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rqv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rseab
Source: WTSAPI32.dll.5.dr Static PE information: section name: .pxtlo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .nri
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fcbpa
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wwwa
Source: XmlLite.dll.5.dr Static PE information: section name: .qkm
Source: XmlLite.dll.5.dr Static PE information: section name: .cvjb
Source: XmlLite.dll.5.dr Static PE information: section name: .tlmkv
Source: XmlLite.dll.5.dr Static PE information: section name: .wucsxe
Source: XmlLite.dll.5.dr Static PE information: section name: .fltwtj
Source: XmlLite.dll.5.dr Static PE information: section name: .sfplio
Source: XmlLite.dll.5.dr Static PE information: section name: .rpg
Source: XmlLite.dll.5.dr Static PE information: section name: .bewzc
Source: XmlLite.dll.5.dr Static PE information: section name: .vksvaw
Source: XmlLite.dll.5.dr Static PE information: section name: .wmhg
Source: XmlLite.dll.5.dr Static PE information: section name: .kswemc
Source: XmlLite.dll.5.dr Static PE information: section name: .kaxfk
Source: XmlLite.dll.5.dr Static PE information: section name: .wualk
Source: XmlLite.dll.5.dr Static PE information: section name: .qwqp
Source: XmlLite.dll.5.dr Static PE information: section name: .txp
Source: XmlLite.dll.5.dr Static PE information: section name: .ezxpm
Source: XmlLite.dll.5.dr Static PE information: section name: .kdkmc
Source: XmlLite.dll.5.dr Static PE information: section name: .vwqjj
Source: XmlLite.dll.5.dr Static PE information: section name: .ute
Source: XmlLite.dll.5.dr Static PE information: section name: .hzotrb
Source: XmlLite.dll.5.dr Static PE information: section name: .mkb
Source: XmlLite.dll.5.dr Static PE information: section name: .plbi
Source: XmlLite.dll.5.dr Static PE information: section name: .dmwl
Source: XmlLite.dll.5.dr Static PE information: section name: .qorltm
Source: XmlLite.dll.5.dr Static PE information: section name: .ubg
Source: XmlLite.dll.5.dr Static PE information: section name: .lhm
Source: XmlLite.dll.5.dr Static PE information: section name: .wojiyd
Source: XmlLite.dll.5.dr Static PE information: section name: .ekv
Source: XmlLite.dll.5.dr Static PE information: section name: .vmf
Source: XmlLite.dll.5.dr Static PE information: section name: .rqv
Source: XmlLite.dll.5.dr Static PE information: section name: .rseab
Source: XmlLite.dll.5.dr Static PE information: section name: .pxtlo
Source: XmlLite.dll.5.dr Static PE information: section name: .nri
Source: XmlLite.dll.5.dr Static PE information: section name: .fcbpa
Source: XmlLite.dll.5.dr Static PE information: section name: .kwig
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .qkm
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .rpg
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .wualk
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .qwqp
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .txp
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .ezxpm
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .kdkmc
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .vwqjj
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .ute
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .hzotrb
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .mkb
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .plbi
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .dmwl
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .qorltm
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .ubg
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .lhm
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .wojiyd
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .ekv
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .vmf
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .rqv
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .rseab
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .pxtlo
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .nri
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .fcbpa
Source: ACTIVEDS.dll.5.dr Static PE information: section name: .pemb
Source: SppExtComObj.Exe.5.dr Static PE information: section name: ?g_Encry
Source: OLEACC.dll0.5.dr Static PE information: section name: .qkm
Source: OLEACC.dll0.5.dr Static PE information: section name: .cvjb
Source: OLEACC.dll0.5.dr Static PE information: section name: .tlmkv
Source: OLEACC.dll0.5.dr Static PE information: section name: .wucsxe
Source: OLEACC.dll0.5.dr Static PE information: section name: .fltwtj
Source: OLEACC.dll0.5.dr Static PE information: section name: .sfplio
Source: OLEACC.dll0.5.dr Static PE information: section name: .rpg
Source: OLEACC.dll0.5.dr Static PE information: section name: .bewzc
Source: OLEACC.dll0.5.dr Static PE information: section name: .vksvaw
Source: OLEACC.dll0.5.dr Static PE information: section name: .wmhg
Source: OLEACC.dll0.5.dr Static PE information: section name: .kswemc
Source: OLEACC.dll0.5.dr Static PE information: section name: .kaxfk
Source: OLEACC.dll0.5.dr Static PE information: section name: .wualk
Source: OLEACC.dll0.5.dr Static PE information: section name: .qwqp
Source: OLEACC.dll0.5.dr Static PE information: section name: .txp
Source: OLEACC.dll0.5.dr Static PE information: section name: .ezxpm
Source: OLEACC.dll0.5.dr Static PE information: section name: .kdkmc
Source: OLEACC.dll0.5.dr Static PE information: section name: .vwqjj
Source: OLEACC.dll0.5.dr Static PE information: section name: .ute
Source: OLEACC.dll0.5.dr Static PE information: section name: .hzotrb
Source: OLEACC.dll0.5.dr Static PE information: section name: .mkb
Source: OLEACC.dll0.5.dr Static PE information: section name: .plbi
Source: OLEACC.dll0.5.dr Static PE information: section name: .dmwl
Source: OLEACC.dll0.5.dr Static PE information: section name: .qorltm
Source: OLEACC.dll0.5.dr Static PE information: section name: .ubg
Source: OLEACC.dll0.5.dr Static PE information: section name: .lhm
Source: OLEACC.dll0.5.dr Static PE information: section name: .wojiyd
Source: OLEACC.dll0.5.dr Static PE information: section name: .ekv
Source: OLEACC.dll0.5.dr Static PE information: section name: .vmf
Source: OLEACC.dll0.5.dr Static PE information: section name: .rqv
Source: OLEACC.dll0.5.dr Static PE information: section name: .rseab
Source: OLEACC.dll0.5.dr Static PE information: section name: .pxtlo
Source: OLEACC.dll0.5.dr Static PE information: section name: .nri
Source: OLEACC.dll0.5.dr Static PE information: section name: .fcbpa
Source: OLEACC.dll0.5.dr Static PE information: section name: .kmhbw
Source: VERSION.dll.5.dr Static PE information: section name: .qkm
Source: VERSION.dll.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr Static PE information: section name: .rpg
Source: VERSION.dll.5.dr Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr Static PE information: section name: .wualk
Source: VERSION.dll.5.dr Static PE information: section name: .qwqp
Source: VERSION.dll.5.dr Static PE information: section name: .txp
Source: VERSION.dll.5.dr Static PE information: section name: .ezxpm
Source: VERSION.dll.5.dr Static PE information: section name: .kdkmc
Source: VERSION.dll.5.dr Static PE information: section name: .vwqjj
Source: VERSION.dll.5.dr Static PE information: section name: .ute
Source: VERSION.dll.5.dr Static PE information: section name: .hzotrb
Source: VERSION.dll.5.dr Static PE information: section name: .mkb
Source: VERSION.dll.5.dr Static PE information: section name: .plbi
Source: VERSION.dll.5.dr Static PE information: section name: .dmwl
Source: VERSION.dll.5.dr Static PE information: section name: .qorltm
Source: VERSION.dll.5.dr Static PE information: section name: .ubg
Source: VERSION.dll.5.dr Static PE information: section name: .lhm
Source: VERSION.dll.5.dr Static PE information: section name: .wojiyd
Source: VERSION.dll.5.dr Static PE information: section name: .ekv
Source: VERSION.dll.5.dr Static PE information: section name: .vmf
Source: VERSION.dll.5.dr Static PE information: section name: .rqv
Source: VERSION.dll.5.dr Static PE information: section name: .rseab
Source: VERSION.dll.5.dr Static PE information: section name: .pxtlo
Source: VERSION.dll.5.dr Static PE information: section name: .nri
Source: VERSION.dll.5.dr Static PE information: section name: .fcbpa
Source: VERSION.dll.5.dr Static PE information: section name: .oeep
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .sfplio
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .rpg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .bewzc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .vksvaw
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wmhg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kswemc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kaxfk
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wualk
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qwqp
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .txp
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ezxpm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kdkmc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .vwqjj
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ute
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .hzotrb
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .mkb
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .plbi
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .dmwl
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qorltm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ubg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .lhm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wojiyd
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ekv
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .vmf
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .rqv
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .rseab
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .pxtlo
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .nri
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fcbpa
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ugx
Source: XmlLite.dll0.5.dr Static PE information: section name: .qkm
Source: XmlLite.dll0.5.dr Static PE information: section name: .cvjb
Source: XmlLite.dll0.5.dr Static PE information: section name: .tlmkv
Source: XmlLite.dll0.5.dr Static PE information: section name: .wucsxe
Source: XmlLite.dll0.5.dr Static PE information: section name: .fltwtj
Source: XmlLite.dll0.5.dr Static PE information: section name: .sfplio
Source: XmlLite.dll0.5.dr Static PE information: section name: .rpg
Source: XmlLite.dll0.5.dr Static PE information: section name: .bewzc
Source: XmlLite.dll0.5.dr Static PE information: section name: .vksvaw
Source: XmlLite.dll0.5.dr Static PE information: section name: .wmhg
Source: XmlLite.dll0.5.dr Static PE information: section name: .kswemc
Source: XmlLite.dll0.5.dr Static PE information: section name: .kaxfk
Source: XmlLite.dll0.5.dr Static PE information: section name: .wualk
Source: XmlLite.dll0.5.dr Static PE information: section name: .qwqp
Source: XmlLite.dll0.5.dr Static PE information: section name: .txp
Source: XmlLite.dll0.5.dr Static PE information: section name: .ezxpm
Source: XmlLite.dll0.5.dr Static PE information: section name: .kdkmc
Source: XmlLite.dll0.5.dr Static PE information: section name: .vwqjj
Source: XmlLite.dll0.5.dr Static PE information: section name: .ute
Source: XmlLite.dll0.5.dr Static PE information: section name: .hzotrb
Source: XmlLite.dll0.5.dr Static PE information: section name: .mkb
Source: XmlLite.dll0.5.dr Static PE information: section name: .plbi
Source: XmlLite.dll0.5.dr Static PE information: section name: .dmwl
Source: XmlLite.dll0.5.dr Static PE information: section name: .qorltm
Source: XmlLite.dll0.5.dr Static PE information: section name: .ubg
Source: XmlLite.dll0.5.dr Static PE information: section name: .lhm
Source: XmlLite.dll0.5.dr Static PE information: section name: .wojiyd
Source: XmlLite.dll0.5.dr Static PE information: section name: .ekv
Source: XmlLite.dll0.5.dr Static PE information: section name: .vmf
Source: XmlLite.dll0.5.dr Static PE information: section name: .rqv
Source: XmlLite.dll0.5.dr Static PE information: section name: .rseab
Source: XmlLite.dll0.5.dr Static PE information: section name: .pxtlo
Source: XmlLite.dll0.5.dr Static PE information: section name: .nri
Source: XmlLite.dll0.5.dr Static PE information: section name: .fcbpa
Source: XmlLite.dll0.5.dr Static PE information: section name: .htvhcf
Source: OLEACC.dll1.5.dr Static PE information: section name: .qkm
Source: OLEACC.dll1.5.dr Static PE information: section name: .cvjb
Source: OLEACC.dll1.5.dr Static PE information: section name: .tlmkv
Source: OLEACC.dll1.5.dr Static PE information: section name: .wucsxe
Source: OLEACC.dll1.5.dr Static PE information: section name: .fltwtj
Source: OLEACC.dll1.5.dr Static PE information: section name: .sfplio
Source: OLEACC.dll1.5.dr Static PE information: section name: .rpg
Source: OLEACC.dll1.5.dr Static PE information: section name: .bewzc
Source: OLEACC.dll1.5.dr Static PE information: section name: .vksvaw
Source: OLEACC.dll1.5.dr Static PE information: section name: .wmhg
Source: OLEACC.dll1.5.dr Static PE information: section name: .kswemc
Source: OLEACC.dll1.5.dr Static PE information: section name: .kaxfk
Source: OLEACC.dll1.5.dr Static PE information: section name: .wualk
Source: OLEACC.dll1.5.dr Static PE information: section name: .qwqp
Source: OLEACC.dll1.5.dr Static PE information: section name: .txp
Source: OLEACC.dll1.5.dr Static PE information: section name: .ezxpm
Source: OLEACC.dll1.5.dr Static PE information: section name: .kdkmc
Source: OLEACC.dll1.5.dr Static PE information: section name: .vwqjj
Source: OLEACC.dll1.5.dr Static PE information: section name: .ute
Source: OLEACC.dll1.5.dr Static PE information: section name: .hzotrb
Source: OLEACC.dll1.5.dr Static PE information: section name: .mkb
Source: OLEACC.dll1.5.dr Static PE information: section name: .plbi
Source: OLEACC.dll1.5.dr Static PE information: section name: .dmwl
Source: OLEACC.dll1.5.dr Static PE information: section name: .qorltm
Source: OLEACC.dll1.5.dr Static PE information: section name: .ubg
Source: OLEACC.dll1.5.dr Static PE information: section name: .lhm
Source: OLEACC.dll1.5.dr Static PE information: section name: .wojiyd
Source: OLEACC.dll1.5.dr Static PE information: section name: .ekv
Source: OLEACC.dll1.5.dr Static PE information: section name: .vmf
Source: OLEACC.dll1.5.dr Static PE information: section name: .rqv
Source: OLEACC.dll1.5.dr Static PE information: section name: .rseab
Source: OLEACC.dll1.5.dr Static PE information: section name: .pxtlo
Source: OLEACC.dll1.5.dr Static PE information: section name: .nri
Source: OLEACC.dll1.5.dr Static PE information: section name: .fcbpa
Source: OLEACC.dll1.5.dr Static PE information: section name: .xtmp
Source: XmlLite.dll1.5.dr Static PE information: section name: .qkm
Source: XmlLite.dll1.5.dr Static PE information: section name: .cvjb
Source: XmlLite.dll1.5.dr Static PE information: section name: .tlmkv
Source: XmlLite.dll1.5.dr Static PE information: section name: .wucsxe
Source: XmlLite.dll1.5.dr Static PE information: section name: .fltwtj
Source: XmlLite.dll1.5.dr Static PE information: section name: .sfplio
Source: XmlLite.dll1.5.dr Static PE information: section name: .rpg
Source: XmlLite.dll1.5.dr Static PE information: section name: .bewzc
Source: XmlLite.dll1.5.dr Static PE information: section name: .vksvaw
Source: XmlLite.dll1.5.dr Static PE information: section name: .wmhg
Source: XmlLite.dll1.5.dr Static PE information: section name: .kswemc
Source: XmlLite.dll1.5.dr Static PE information: section name: .kaxfk
Source: XmlLite.dll1.5.dr Static PE information: section name: .wualk
Source: XmlLite.dll1.5.dr Static PE information: section name: .qwqp
Source: XmlLite.dll1.5.dr Static PE information: section name: .txp
Source: XmlLite.dll1.5.dr Static PE information: section name: .ezxpm
Source: XmlLite.dll1.5.dr Static PE information: section name: .kdkmc
Source: XmlLite.dll1.5.dr Static PE information: section name: .vwqjj
Source: XmlLite.dll1.5.dr Static PE information: section name: .ute
Source: XmlLite.dll1.5.dr Static PE information: section name: .hzotrb
Source: XmlLite.dll1.5.dr Static PE information: section name: .mkb
Source: XmlLite.dll1.5.dr Static PE information: section name: .plbi
Source: XmlLite.dll1.5.dr Static PE information: section name: .dmwl
Source: XmlLite.dll1.5.dr Static PE information: section name: .qorltm
Source: XmlLite.dll1.5.dr Static PE information: section name: .ubg
Source: XmlLite.dll1.5.dr Static PE information: section name: .lhm
Source: XmlLite.dll1.5.dr Static PE information: section name: .wojiyd
Source: XmlLite.dll1.5.dr Static PE information: section name: .ekv
Source: XmlLite.dll1.5.dr Static PE information: section name: .vmf
Source: XmlLite.dll1.5.dr Static PE information: section name: .rqv
Source: XmlLite.dll1.5.dr Static PE information: section name: .rseab
Source: XmlLite.dll1.5.dr Static PE information: section name: .pxtlo
Source: XmlLite.dll1.5.dr Static PE information: section name: .nri
Source: XmlLite.dll1.5.dr Static PE information: section name: .fcbpa
Source: XmlLite.dll1.5.dr Static PE information: section name: .gbpuqn
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E1183E0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString, 26_2_00007FF74E1183E0
PE file contains an invalid checksum
Source: yWteP7e12z.dll Static PE information: real checksum: 0x7d786c40 should be: 0x208f5c
Source: ACTIVEDS.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x20e14e
Source: WTSAPI32.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2040a8
Source: OLEACC.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x20e541
Source: VERSION.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2120a4
Source: XmlLite.dll1.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2053cb
Source: XmlLite.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x20bbcb
Source: XmlLite.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x209517
Source: OLEACC.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x20a1b8
Source: OLEACC.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2065b2
Source: WTSAPI32.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x20419e
Binary contains a suspicious time stamp
Source: raserver.exe.5.dr Static PE information: 0xEBE25ACA [Sun May 29 04:02:18 2095 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.59477523886
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\yoY8Y\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\yoY8Y\ddodiag.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\eQL\raserver.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\S8mrk1\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\eQL\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\92ea6x\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Iz08tEz\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\7YI8zy\sethc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle, 41_2_00007FF6E6D664A0

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04DE78 IsWindowVisible,ShowWindow,IsZoomed,ShowWindow,SendMessageW,SendMessageW,IsIconic,OpenIcon,IsWindowVisible, 19_2_00007FF73D04DE78
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D043078 IsWindowVisible,IsIconic,DwmGetWindowAttribute, 19_2_00007FF73D043078
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon, 19_2_00007FF73D04F79C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon, 19_2_00007FF73D04F79C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D047800 FindWindowW,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,IsIconic,OpenIcon,SetForegroundWindow,GetLastError, 19_2_00007FF73D047800
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B617020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow, 34_2_00007FF67B617020
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5916 Thread sleep count: 40 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\7YI8zy\sethc.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146D314 rdtsc 32_2_00007FF79146D314
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 37_2_00007FF6E892D4A0
Source: explorer.exe, 00000005.00000000.321902451.000000000EEE0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}onsappsD
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oogle Chrome.l
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}microsoF
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FF73D06DF84
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B616008 OutputDebugStringA,ActivateActCtx,GetLastError, 34_2_00007FF67B616008
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E1183E0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString, 26_2_00007FF74E1183E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D05E274 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 19_2_00007FF73D05E274
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146D314 rdtsc 32_2_00007FF79146D314
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FF73D06DF84
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E120B80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF74E120B80
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E121170 SetUnhandledExceptionFilter, 26_2_00007FF74E121170
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Code function: 28_2_00007FF7409832A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF7409832A4
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Code function: 28_2_00007FF740983010 SetUnhandledExceptionFilter, 28_2_00007FF740983010
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146DD00 SetUnhandledExceptionFilter, 32_2_00007FF79146DD00
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79146DF84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 32_2_00007FF79146DF84
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6CACE0 SetUnhandledExceptionFilter, 34_2_00007FF67B6CACE0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6CA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 34_2_00007FF67B6CA9E4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8933CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_00007FF6E8933CC8
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D67DA0 SetUnhandledExceptionFilter, 41_2_00007FF6E6D67DA0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D67984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_00007FF6E6D67984

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: OLEACC.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6C9860 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection, 34_2_00007FF67B6C9860
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: 34_2_00007FF67B6C97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection, 34_2_00007FF67B6C97F0
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11A9AC AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid, 26_2_00007FF74E11A9AC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E11A9AC AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid, 26_2_00007FF74E11A9AC
Source: explorer.exe, 00000005.00000000.330726582.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.335309459.0000000005E10000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Code function: DisableContainerHwnd,DestroyWindow,DeleteObject,GetModuleHandleW,GetClassInfoExW,memset,GetModuleHandleW,LoadCursorW,GetStockObject,DefWindowProcW,RegisterClassExW,GetModuleHandleW,CreateWindowExW,SetWindowLongPtrW,SetWindowLongPtrW,SendMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SetWindowLongPtrW,GetThreadUILanguage,GetUserDefaultUILanguage,GetLocaleInfoW,GetWindowLongPtrW,SetWindowLongPtrW,CreateGadget,GetLastError,SetGadgetMessageFilter,SetGadgetStyle,GetDC,GetDeviceCaps,ReleaseDC,GetDC,CreateHalftonePalette,ReleaseDC,memset,SetGadgetRootInfo,TlsGetValue, 34_2_00007FF67B6499A0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA, 37_2_00007FF6E8930EC4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary, 37_2_00007FF6E893340C
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe Code function: 26_2_00007FF74E121300 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 26_2_00007FF74E121300
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Code function: 19_2_00007FF73D055FF8 PostMessageW,DialogBoxParamW,memset,GetVersionExW,ShellAboutW,GetLastError,InvalidateRect, 19_2_00007FF73D055FF8
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8926CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey, 37_2_00007FF6E8926CEC

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79147B16C RpcStringFreeW,RpcBindingFree,CloseHandle, 32_2_00007FF79147B16C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79147AF10 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,CreateEventW,GetLastError,RpcAsyncInitializeHandle,WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,memcpy,RpcStringFreeW,RpcBindingFree,CloseHandle, 32_2_00007FF79147AF10
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Code function: 32_2_00007FF79147B0A2 WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,RpcStringFreeW,RpcBindingFree,CloseHandle, 32_2_00007FF79147B0A2
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E89291AC GetUserDefaultLCID,CreateBindCtx, 37_2_00007FF6E89291AC
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E8924FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString, 37_2_00007FF6E8924FE0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Code function: 37_2_00007FF6E892C370 CreateBindCtx,MkParseDisplayName, 37_2_00007FF6E892C370
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree, 41_2_00007FF6E6D672BC
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D674BE RpcBindingFree, 41_2_00007FF6E6D674BE
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Code function: 41_2_00007FF6E6D67450 NdrClientCall3,RpcBindingFree, 41_2_00007FF6E6D67450
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492789 Sample: yWteP7e12z Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\ACTIVEDS.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\WMPDMC.exe, PE32+ 19->38 dropped 40 17 other files (3 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 25 WMPDMC.exe 19->25         started        28 SppExtComObj.Exe 19->28         started        30 ddodiag.exe 19->30         started        32 13 other processes 19->32 signatures8 process9 signatures10 52 Contains functionality to prevent local Windows debugging 25->52
No contacted IP infos