Windows Analysis Report A1ogRC4R34

Overview

General Information

Sample Name: A1ogRC4R34 (renamed file extension from none to dll)
Analysis ID: 492806
MD5: 5edd6ba336c4de29f55cadfd2167a67e
SHA1: af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256: eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: A1ogRC4R34.dll Virustotal: Detection: 62% Perma Link
Source: A1ogRC4R34.dll Metadefender: Detection: 57% Perma Link
Source: A1ogRC4R34.dll ReversingLabs: Detection: 75%
Antivirus / Scanner detection for submitted sample
Source: A1ogRC4R34.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Machine Learning detection for sample
Source: A1ogRC4R34.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A82D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext, 24_2_00007FF785A82D94

Exploits:

barindex
Accesses ntoskrnl, likely to find offsets for exploits
Source: C:\Windows\explorer.exe File opened: C:\Windows\system32\ntkrnlmp.exe Jump to behavior
Source: A1ogRC4R34.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000028.00000002.476229981.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.449479227.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.416996891.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034870 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035270 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140065B80 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400524B0 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026CC0 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004BD40 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400495B0 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036F30 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069010 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001010 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140066020 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F840 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D850 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064080 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140010880 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400688A0 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D0D0 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400018D0 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016100 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D100 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A110 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D910 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140015120 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000B120 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F940 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140039140 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023140 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057950 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001E170 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140002980 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400611A0 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400389A0 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400381A0 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E1B0 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400139D0 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400319F0 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EA00 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022A00 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003B220 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140067A40 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069A50 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007A60 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003AAC0 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A2E0 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140062B00 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018300 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FB20 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031340 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022340 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017B40 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000BB40 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004EB60 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005370 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002CB80 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B390 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140054BA0 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033BB0 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400263C0 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400123C0 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063BD0 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400663F0 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023BF0 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B41B 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B424 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B42D 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B436 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B43D 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024440 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005C40 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B446 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005F490 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022D00 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035520 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019D20 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030530 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023530 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031540 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033540 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014007BD50 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140078570 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019580 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400205A0 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025DB0 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140071DC0 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000C5C0 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002DDE0 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031DF0 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000DDF0 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001620 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018630 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032650 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064E80 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016E80 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007EA0 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400286B0 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006EB0 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400276C0 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FEC0 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EED0 1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002B6E0 1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053F20 1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022730 1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029780 1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018F80 1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003EFB0 1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400067B0 1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400667D0 1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140060FE0 1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A82EA4 24_2_00007FF785A82EA4
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAE688 24_2_00007FF785AAE688
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB8E00 24_2_00007FF785AB8E00
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785ABA908 24_2_00007FF785ABA908
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A8D87C 24_2_00007FF785A8D87C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A91780 24_2_00007FF785A91780
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB7ACC 24_2_00007FF785AB7ACC
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB9B14 24_2_00007FF785AB9B14
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB8A40 24_2_00007FF785AB8A40
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785ABB1C0 24_2_00007FF785ABB1C0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAE12C 24_2_00007FF785AAE12C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB1978 24_2_00007FF785AB1978
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB4CD0 24_2_00007FF785AB4CD0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A9FCF0 24_2_00007FF785A9FCF0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAFC6C 24_2_00007FF785AAFC6C
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140046C90 NtClose, 1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 NtQuerySystemInformation, 1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle, 24_2_00007FF785AA9590
PE file contains executable resources (Code or Archives)
Source: DmNotificationBroker.exe.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: BitLockerWizardElev.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: FVEWIZ.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: TAPI32.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: DUI70.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: WINSTA.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: SYSDM.CPL.5.dr Static PE information: Number of sections : 48 > 10
Source: WINMM.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: VERSION.dll.5.dr Static PE information: Number of sections : 48 > 10
Source: A1ogRC4R34.dll Static PE information: Number of sections : 47 > 10
Source: dpx.dll.5.dr Static PE information: Number of sections : 47 > 10
Source: A1ogRC4R34.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FVEWIZ.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: A1ogRC4R34.dll Virustotal: Detection: 62%
Source: A1ogRC4R34.dll Metadefender: Detection: 57%
Source: A1ogRC4R34.dll ReversingLabs: Detection: 75%
Source: A1ogRC4R34.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDLL@38/17@0/0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A91D80 CoCreateInstance,CoSetProxyBlanket, 24_2_00007FF785A91D80
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\{0ad3bd68-c5ec-a10f-ef97-5ace4ed7d359}
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\{f429f929-471a-28a5-5cf5-8c81149c5888}
Source: rdpinit.exe String found in binary or memory: Re-Start RdpShell failed
Source: A1ogRC4R34.dll Static PE information: More than 166 > 100 exports found
Source: A1ogRC4R34.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: A1ogRC4R34.dll Static file information: File size 2166784 > 1048576
Source: A1ogRC4R34.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140056A4D push rdi; ret 1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A94162 push rcx; ret 24_2_00007FF785A94163
PE file contains sections with non-standard names
Source: A1ogRC4R34.dll Static PE information: section name: .qkm
Source: A1ogRC4R34.dll Static PE information: section name: .cvjb
Source: A1ogRC4R34.dll Static PE information: section name: .tlmkv
Source: A1ogRC4R34.dll Static PE information: section name: .wucsxe
Source: A1ogRC4R34.dll Static PE information: section name: .fltwtj
Source: A1ogRC4R34.dll Static PE information: section name: .sfplio
Source: A1ogRC4R34.dll Static PE information: section name: .rpg
Source: A1ogRC4R34.dll Static PE information: section name: .bewzc
Source: A1ogRC4R34.dll Static PE information: section name: .vksvaw
Source: A1ogRC4R34.dll Static PE information: section name: .wmhg
Source: A1ogRC4R34.dll Static PE information: section name: .kswemc
Source: A1ogRC4R34.dll Static PE information: section name: .kaxfk
Source: A1ogRC4R34.dll Static PE information: section name: .pjf
Source: A1ogRC4R34.dll Static PE information: section name: .retjqj
Source: A1ogRC4R34.dll Static PE information: section name: .mizn
Source: A1ogRC4R34.dll Static PE information: section name: .rsrub
Source: A1ogRC4R34.dll Static PE information: section name: .fhgxfk
Source: A1ogRC4R34.dll Static PE information: section name: .wqpbrq
Source: A1ogRC4R34.dll Static PE information: section name: .xlhbgj
Source: A1ogRC4R34.dll Static PE information: section name: .rzgl
Source: A1ogRC4R34.dll Static PE information: section name: .yic
Source: A1ogRC4R34.dll Static PE information: section name: .zfmbo
Source: A1ogRC4R34.dll Static PE information: section name: .kurwl
Source: A1ogRC4R34.dll Static PE information: section name: .crlsf
Source: A1ogRC4R34.dll Static PE information: section name: .wrn
Source: A1ogRC4R34.dll Static PE information: section name: .blcv
Source: A1ogRC4R34.dll Static PE information: section name: .roblb
Source: A1ogRC4R34.dll Static PE information: section name: .yblxa
Source: A1ogRC4R34.dll Static PE information: section name: .tfy
Source: A1ogRC4R34.dll Static PE information: section name: .wsmv
Source: A1ogRC4R34.dll Static PE information: section name: .hrs
Source: A1ogRC4R34.dll Static PE information: section name: .ppapg
Source: A1ogRC4R34.dll Static PE information: section name: .udm
Source: A1ogRC4R34.dll Static PE information: section name: .fxc
Source: A1ogRC4R34.dll Static PE information: section name: .fvxxk
Source: A1ogRC4R34.dll Static PE information: section name: .zmj
Source: A1ogRC4R34.dll Static PE information: section name: .zvz
Source: A1ogRC4R34.dll Static PE information: section name: .xyiz
Source: A1ogRC4R34.dll Static PE information: section name: .gbzxp
Source: A1ogRC4R34.dll Static PE information: section name: .kkivgv
Source: A1ogRC4R34.dll Static PE information: section name: .evwibb
Source: rdpinit.exe.5.dr Static PE information: section name: .imrsiv
Source: DmNotificationBroker.exe.5.dr Static PE information: section name: .imrsiv
Source: WINSTA.dll.5.dr Static PE information: section name: .qkm
Source: WINSTA.dll.5.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.5.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.5.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.5.dr Static PE information: section name: .fltwtj
Source: WINSTA.dll.5.dr Static PE information: section name: .sfplio
Source: WINSTA.dll.5.dr Static PE information: section name: .rpg
Source: WINSTA.dll.5.dr Static PE information: section name: .bewzc
Source: WINSTA.dll.5.dr Static PE information: section name: .vksvaw
Source: WINSTA.dll.5.dr Static PE information: section name: .wmhg
Source: WINSTA.dll.5.dr Static PE information: section name: .kswemc
Source: WINSTA.dll.5.dr Static PE information: section name: .kaxfk
Source: WINSTA.dll.5.dr Static PE information: section name: .pjf
Source: WINSTA.dll.5.dr Static PE information: section name: .retjqj
Source: WINSTA.dll.5.dr Static PE information: section name: .mizn
Source: WINSTA.dll.5.dr Static PE information: section name: .rsrub
Source: WINSTA.dll.5.dr Static PE information: section name: .fhgxfk
Source: WINSTA.dll.5.dr Static PE information: section name: .wqpbrq
Source: WINSTA.dll.5.dr Static PE information: section name: .xlhbgj
Source: WINSTA.dll.5.dr Static PE information: section name: .rzgl
Source: WINSTA.dll.5.dr Static PE information: section name: .yic
Source: WINSTA.dll.5.dr Static PE information: section name: .zfmbo
Source: WINSTA.dll.5.dr Static PE information: section name: .kurwl
Source: WINSTA.dll.5.dr Static PE information: section name: .crlsf
Source: WINSTA.dll.5.dr Static PE information: section name: .wrn
Source: WINSTA.dll.5.dr Static PE information: section name: .blcv
Source: WINSTA.dll.5.dr Static PE information: section name: .roblb
Source: WINSTA.dll.5.dr Static PE information: section name: .yblxa
Source: WINSTA.dll.5.dr Static PE information: section name: .tfy
Source: WINSTA.dll.5.dr Static PE information: section name: .wsmv
Source: WINSTA.dll.5.dr Static PE information: section name: .hrs
Source: WINSTA.dll.5.dr Static PE information: section name: .ppapg
Source: WINSTA.dll.5.dr Static PE information: section name: .udm
Source: WINSTA.dll.5.dr Static PE information: section name: .fxc
Source: WINSTA.dll.5.dr Static PE information: section name: .fvxxk
Source: WINSTA.dll.5.dr Static PE information: section name: .zmj
Source: WINSTA.dll.5.dr Static PE information: section name: .zvz
Source: WINSTA.dll.5.dr Static PE information: section name: .xyiz
Source: WINSTA.dll.5.dr Static PE information: section name: .gbzxp
Source: WINSTA.dll.5.dr Static PE information: section name: .kkivgv
Source: WINSTA.dll.5.dr Static PE information: section name: .evwibb
Source: WINSTA.dll.5.dr Static PE information: section name: .rqefr
Source: DUI70.dll.5.dr Static PE information: section name: .qkm
Source: DUI70.dll.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr Static PE information: section name: .fltwtj
Source: DUI70.dll.5.dr Static PE information: section name: .sfplio
Source: DUI70.dll.5.dr Static PE information: section name: .rpg
Source: DUI70.dll.5.dr Static PE information: section name: .bewzc
Source: DUI70.dll.5.dr Static PE information: section name: .vksvaw
Source: DUI70.dll.5.dr Static PE information: section name: .wmhg
Source: DUI70.dll.5.dr Static PE information: section name: .kswemc
Source: DUI70.dll.5.dr Static PE information: section name: .kaxfk
Source: DUI70.dll.5.dr Static PE information: section name: .pjf
Source: DUI70.dll.5.dr Static PE information: section name: .retjqj
Source: DUI70.dll.5.dr Static PE information: section name: .mizn
Source: DUI70.dll.5.dr Static PE information: section name: .rsrub
Source: DUI70.dll.5.dr Static PE information: section name: .fhgxfk
Source: DUI70.dll.5.dr Static PE information: section name: .wqpbrq
Source: DUI70.dll.5.dr Static PE information: section name: .xlhbgj
Source: DUI70.dll.5.dr Static PE information: section name: .rzgl
Source: DUI70.dll.5.dr Static PE information: section name: .yic
Source: DUI70.dll.5.dr Static PE information: section name: .zfmbo
Source: DUI70.dll.5.dr Static PE information: section name: .kurwl
Source: DUI70.dll.5.dr Static PE information: section name: .crlsf
Source: DUI70.dll.5.dr Static PE information: section name: .wrn
Source: DUI70.dll.5.dr Static PE information: section name: .blcv
Source: DUI70.dll.5.dr Static PE information: section name: .roblb
Source: DUI70.dll.5.dr Static PE information: section name: .yblxa
Source: DUI70.dll.5.dr Static PE information: section name: .tfy
Source: DUI70.dll.5.dr Static PE information: section name: .wsmv
Source: DUI70.dll.5.dr Static PE information: section name: .hrs
Source: DUI70.dll.5.dr Static PE information: section name: .ppapg
Source: DUI70.dll.5.dr Static PE information: section name: .udm
Source: DUI70.dll.5.dr Static PE information: section name: .fxc
Source: DUI70.dll.5.dr Static PE information: section name: .fvxxk
Source: DUI70.dll.5.dr Static PE information: section name: .zmj
Source: DUI70.dll.5.dr Static PE information: section name: .zvz
Source: DUI70.dll.5.dr Static PE information: section name: .xyiz
Source: DUI70.dll.5.dr Static PE information: section name: .gbzxp
Source: DUI70.dll.5.dr Static PE information: section name: .kkivgv
Source: DUI70.dll.5.dr Static PE information: section name: .evwibb
Source: DUI70.dll.5.dr Static PE information: section name: .kcklp
Source: FVEWIZ.dll.5.dr Static PE information: section name: .qkm
Source: FVEWIZ.dll.5.dr Static PE information: section name: .cvjb
Source: FVEWIZ.dll.5.dr Static PE information: section name: .tlmkv
Source: FVEWIZ.dll.5.dr Static PE information: section name: .wucsxe
Source: FVEWIZ.dll.5.dr Static PE information: section name: .fltwtj
Source: FVEWIZ.dll.5.dr Static PE information: section name: .sfplio
Source: FVEWIZ.dll.5.dr Static PE information: section name: .rpg
Source: FVEWIZ.dll.5.dr Static PE information: section name: .bewzc
Source: FVEWIZ.dll.5.dr Static PE information: section name: .vksvaw
Source: FVEWIZ.dll.5.dr Static PE information: section name: .wmhg
Source: FVEWIZ.dll.5.dr Static PE information: section name: .kswemc
Source: FVEWIZ.dll.5.dr Static PE information: section name: .kaxfk
Source: FVEWIZ.dll.5.dr Static PE information: section name: .pjf
Source: FVEWIZ.dll.5.dr Static PE information: section name: .retjqj
Source: FVEWIZ.dll.5.dr Static PE information: section name: .mizn
Source: FVEWIZ.dll.5.dr Static PE information: section name: .rsrub
Source: FVEWIZ.dll.5.dr Static PE information: section name: .fhgxfk
Source: FVEWIZ.dll.5.dr Static PE information: section name: .wqpbrq
Source: FVEWIZ.dll.5.dr Static PE information: section name: .xlhbgj
Source: FVEWIZ.dll.5.dr Static PE information: section name: .rzgl
Source: FVEWIZ.dll.5.dr Static PE information: section name: .yic
Source: FVEWIZ.dll.5.dr Static PE information: section name: .zfmbo
Source: FVEWIZ.dll.5.dr Static PE information: section name: .kurwl
Source: FVEWIZ.dll.5.dr Static PE information: section name: .crlsf
Source: FVEWIZ.dll.5.dr Static PE information: section name: .wrn
Source: FVEWIZ.dll.5.dr Static PE information: section name: .blcv
Source: FVEWIZ.dll.5.dr Static PE information: section name: .roblb
Source: FVEWIZ.dll.5.dr Static PE information: section name: .yblxa
Source: FVEWIZ.dll.5.dr Static PE information: section name: .tfy
Source: FVEWIZ.dll.5.dr Static PE information: section name: .wsmv
Source: FVEWIZ.dll.5.dr Static PE information: section name: .hrs
Source: FVEWIZ.dll.5.dr Static PE information: section name: .ppapg
Source: FVEWIZ.dll.5.dr Static PE information: section name: .udm
Source: FVEWIZ.dll.5.dr Static PE information: section name: .fxc
Source: FVEWIZ.dll.5.dr Static PE information: section name: .fvxxk
Source: FVEWIZ.dll.5.dr Static PE information: section name: .zmj
Source: FVEWIZ.dll.5.dr Static PE information: section name: .zvz
Source: FVEWIZ.dll.5.dr Static PE information: section name: .xyiz
Source: FVEWIZ.dll.5.dr Static PE information: section name: .gbzxp
Source: FVEWIZ.dll.5.dr Static PE information: section name: .kkivgv
Source: FVEWIZ.dll.5.dr Static PE information: section name: .evwibb
Source: FVEWIZ.dll.5.dr Static PE information: section name: .nzduo
Source: dpx.dll.5.dr Static PE information: section name: .qkm
Source: dpx.dll.5.dr Static PE information: section name: .cvjb
Source: dpx.dll.5.dr Static PE information: section name: .tlmkv
Source: dpx.dll.5.dr Static PE information: section name: .wucsxe
Source: dpx.dll.5.dr Static PE information: section name: .fltwtj
Source: dpx.dll.5.dr Static PE information: section name: .sfplio
Source: dpx.dll.5.dr Static PE information: section name: .rpg
Source: dpx.dll.5.dr Static PE information: section name: .bewzc
Source: dpx.dll.5.dr Static PE information: section name: .vksvaw
Source: dpx.dll.5.dr Static PE information: section name: .wmhg
Source: dpx.dll.5.dr Static PE information: section name: .kswemc
Source: dpx.dll.5.dr Static PE information: section name: .kaxfk
Source: dpx.dll.5.dr Static PE information: section name: .pjf
Source: dpx.dll.5.dr Static PE information: section name: .retjqj
Source: dpx.dll.5.dr Static PE information: section name: .mizn
Source: dpx.dll.5.dr Static PE information: section name: .rsrub
Source: dpx.dll.5.dr Static PE information: section name: .fhgxfk
Source: dpx.dll.5.dr Static PE information: section name: .wqpbrq
Source: dpx.dll.5.dr Static PE information: section name: .xlhbgj
Source: dpx.dll.5.dr Static PE information: section name: .rzgl
Source: dpx.dll.5.dr Static PE information: section name: .yic
Source: dpx.dll.5.dr Static PE information: section name: .zfmbo
Source: dpx.dll.5.dr Static PE information: section name: .kurwl
Source: dpx.dll.5.dr Static PE information: section name: .crlsf
Source: dpx.dll.5.dr Static PE information: section name: .wrn
Source: dpx.dll.5.dr Static PE information: section name: .blcv
Source: dpx.dll.5.dr Static PE information: section name: .roblb
Source: dpx.dll.5.dr Static PE information: section name: .yblxa
Source: dpx.dll.5.dr Static PE information: section name: .tfy
Source: dpx.dll.5.dr Static PE information: section name: .wsmv
Source: dpx.dll.5.dr Static PE information: section name: .hrs
Source: dpx.dll.5.dr Static PE information: section name: .ppapg
Source: dpx.dll.5.dr Static PE information: section name: .udm
Source: dpx.dll.5.dr Static PE information: section name: .fxc
Source: dpx.dll.5.dr Static PE information: section name: .fvxxk
Source: dpx.dll.5.dr Static PE information: section name: .zmj
Source: dpx.dll.5.dr Static PE information: section name: .zvz
Source: dpx.dll.5.dr Static PE information: section name: .xyiz
Source: dpx.dll.5.dr Static PE information: section name: .gbzxp
Source: dpx.dll.5.dr Static PE information: section name: .kkivgv
Source: dpx.dll.5.dr Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr Static PE information: section name: .fltwtj
Source: SYSDM.CPL.5.dr Static PE information: section name: .sfplio
Source: SYSDM.CPL.5.dr Static PE information: section name: .rpg
Source: SYSDM.CPL.5.dr Static PE information: section name: .bewzc
Source: SYSDM.CPL.5.dr Static PE information: section name: .vksvaw
Source: SYSDM.CPL.5.dr Static PE information: section name: .wmhg
Source: SYSDM.CPL.5.dr Static PE information: section name: .kswemc
Source: SYSDM.CPL.5.dr Static PE information: section name: .kaxfk
Source: SYSDM.CPL.5.dr Static PE information: section name: .pjf
Source: SYSDM.CPL.5.dr Static PE information: section name: .retjqj
Source: SYSDM.CPL.5.dr Static PE information: section name: .mizn
Source: SYSDM.CPL.5.dr Static PE information: section name: .rsrub
Source: SYSDM.CPL.5.dr Static PE information: section name: .fhgxfk
Source: SYSDM.CPL.5.dr Static PE information: section name: .wqpbrq
Source: SYSDM.CPL.5.dr Static PE information: section name: .xlhbgj
Source: SYSDM.CPL.5.dr Static PE information: section name: .rzgl
Source: SYSDM.CPL.5.dr Static PE information: section name: .yic
Source: SYSDM.CPL.5.dr Static PE information: section name: .zfmbo
Source: SYSDM.CPL.5.dr Static PE information: section name: .kurwl
Source: SYSDM.CPL.5.dr Static PE information: section name: .crlsf
Source: SYSDM.CPL.5.dr Static PE information: section name: .wrn
Source: SYSDM.CPL.5.dr Static PE information: section name: .blcv
Source: SYSDM.CPL.5.dr Static PE information: section name: .roblb
Source: SYSDM.CPL.5.dr Static PE information: section name: .yblxa
Source: SYSDM.CPL.5.dr Static PE information: section name: .tfy
Source: SYSDM.CPL.5.dr Static PE information: section name: .wsmv
Source: SYSDM.CPL.5.dr Static PE information: section name: .hrs
Source: SYSDM.CPL.5.dr Static PE information: section name: .ppapg
Source: SYSDM.CPL.5.dr Static PE information: section name: .udm
Source: SYSDM.CPL.5.dr Static PE information: section name: .fxc
Source: SYSDM.CPL.5.dr Static PE information: section name: .fvxxk
Source: SYSDM.CPL.5.dr Static PE information: section name: .zmj
Source: SYSDM.CPL.5.dr Static PE information: section name: .zvz
Source: SYSDM.CPL.5.dr Static PE information: section name: .xyiz
Source: SYSDM.CPL.5.dr Static PE information: section name: .gbzxp
Source: SYSDM.CPL.5.dr Static PE information: section name: .kkivgv
Source: SYSDM.CPL.5.dr Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr Static PE information: section name: .ffktuw
Source: VERSION.dll.5.dr Static PE information: section name: .qkm
Source: VERSION.dll.5.dr Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr Static PE information: section name: .rpg
Source: VERSION.dll.5.dr Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr Static PE information: section name: .pjf
Source: VERSION.dll.5.dr Static PE information: section name: .retjqj
Source: VERSION.dll.5.dr Static PE information: section name: .mizn
Source: VERSION.dll.5.dr Static PE information: section name: .rsrub
Source: VERSION.dll.5.dr Static PE information: section name: .fhgxfk
Source: VERSION.dll.5.dr Static PE information: section name: .wqpbrq
Source: VERSION.dll.5.dr Static PE information: section name: .xlhbgj
Source: VERSION.dll.5.dr Static PE information: section name: .rzgl
Source: VERSION.dll.5.dr Static PE information: section name: .yic
Source: VERSION.dll.5.dr Static PE information: section name: .zfmbo
Source: VERSION.dll.5.dr Static PE information: section name: .kurwl
Source: VERSION.dll.5.dr Static PE information: section name: .crlsf
Source: VERSION.dll.5.dr Static PE information: section name: .wrn
Source: VERSION.dll.5.dr Static PE information: section name: .blcv
Source: VERSION.dll.5.dr Static PE information: section name: .roblb
Source: VERSION.dll.5.dr Static PE information: section name: .yblxa
Source: VERSION.dll.5.dr Static PE information: section name: .tfy
Source: VERSION.dll.5.dr Static PE information: section name: .wsmv
Source: VERSION.dll.5.dr Static PE information: section name: .hrs
Source: VERSION.dll.5.dr Static PE information: section name: .ppapg
Source: VERSION.dll.5.dr Static PE information: section name: .udm
Source: VERSION.dll.5.dr Static PE information: section name: .fxc
Source: VERSION.dll.5.dr Static PE information: section name: .fvxxk
Source: VERSION.dll.5.dr Static PE information: section name: .zmj
Source: VERSION.dll.5.dr Static PE information: section name: .zvz
Source: VERSION.dll.5.dr Static PE information: section name: .xyiz
Source: VERSION.dll.5.dr Static PE information: section name: .gbzxp
Source: VERSION.dll.5.dr Static PE information: section name: .kkivgv
Source: VERSION.dll.5.dr Static PE information: section name: .evwibb
Source: VERSION.dll.5.dr Static PE information: section name: .swia
Source: TAPI32.dll.5.dr Static PE information: section name: .qkm
Source: TAPI32.dll.5.dr Static PE information: section name: .cvjb
Source: TAPI32.dll.5.dr Static PE information: section name: .tlmkv
Source: TAPI32.dll.5.dr Static PE information: section name: .wucsxe
Source: TAPI32.dll.5.dr Static PE information: section name: .fltwtj
Source: TAPI32.dll.5.dr Static PE information: section name: .sfplio
Source: TAPI32.dll.5.dr Static PE information: section name: .rpg
Source: TAPI32.dll.5.dr Static PE information: section name: .bewzc
Source: TAPI32.dll.5.dr Static PE information: section name: .vksvaw
Source: TAPI32.dll.5.dr Static PE information: section name: .wmhg
Source: TAPI32.dll.5.dr Static PE information: section name: .kswemc
Source: TAPI32.dll.5.dr Static PE information: section name: .kaxfk
Source: TAPI32.dll.5.dr Static PE information: section name: .pjf
Source: TAPI32.dll.5.dr Static PE information: section name: .retjqj
Source: TAPI32.dll.5.dr Static PE information: section name: .mizn
Source: TAPI32.dll.5.dr Static PE information: section name: .rsrub
Source: TAPI32.dll.5.dr Static PE information: section name: .fhgxfk
Source: TAPI32.dll.5.dr Static PE information: section name: .wqpbrq
Source: TAPI32.dll.5.dr Static PE information: section name: .xlhbgj
Source: TAPI32.dll.5.dr Static PE information: section name: .rzgl
Source: TAPI32.dll.5.dr Static PE information: section name: .yic
Source: TAPI32.dll.5.dr Static PE information: section name: .zfmbo
Source: TAPI32.dll.5.dr Static PE information: section name: .kurwl
Source: TAPI32.dll.5.dr Static PE information: section name: .crlsf
Source: TAPI32.dll.5.dr Static PE information: section name: .wrn
Source: TAPI32.dll.5.dr Static PE information: section name: .blcv
Source: TAPI32.dll.5.dr Static PE information: section name: .roblb
Source: TAPI32.dll.5.dr Static PE information: section name: .yblxa
Source: TAPI32.dll.5.dr Static PE information: section name: .tfy
Source: TAPI32.dll.5.dr Static PE information: section name: .wsmv
Source: TAPI32.dll.5.dr Static PE information: section name: .hrs
Source: TAPI32.dll.5.dr Static PE information: section name: .ppapg
Source: TAPI32.dll.5.dr Static PE information: section name: .udm
Source: TAPI32.dll.5.dr Static PE information: section name: .fxc
Source: TAPI32.dll.5.dr Static PE information: section name: .fvxxk
Source: TAPI32.dll.5.dr Static PE information: section name: .zmj
Source: TAPI32.dll.5.dr Static PE information: section name: .zvz
Source: TAPI32.dll.5.dr Static PE information: section name: .xyiz
Source: TAPI32.dll.5.dr Static PE information: section name: .gbzxp
Source: TAPI32.dll.5.dr Static PE information: section name: .kkivgv
Source: TAPI32.dll.5.dr Static PE information: section name: .evwibb
Source: TAPI32.dll.5.dr Static PE information: section name: .apbeye
Source: WINMM.dll.5.dr Static PE information: section name: .qkm
Source: WINMM.dll.5.dr Static PE information: section name: .cvjb
Source: WINMM.dll.5.dr Static PE information: section name: .tlmkv
Source: WINMM.dll.5.dr Static PE information: section name: .wucsxe
Source: WINMM.dll.5.dr Static PE information: section name: .fltwtj
Source: WINMM.dll.5.dr Static PE information: section name: .sfplio
Source: WINMM.dll.5.dr Static PE information: section name: .rpg
Source: WINMM.dll.5.dr Static PE information: section name: .bewzc
Source: WINMM.dll.5.dr Static PE information: section name: .vksvaw
Source: WINMM.dll.5.dr Static PE information: section name: .wmhg
Source: WINMM.dll.5.dr Static PE information: section name: .kswemc
Source: WINMM.dll.5.dr Static PE information: section name: .kaxfk
Source: WINMM.dll.5.dr Static PE information: section name: .pjf
Source: WINMM.dll.5.dr Static PE information: section name: .retjqj
Source: WINMM.dll.5.dr Static PE information: section name: .mizn
Source: WINMM.dll.5.dr Static PE information: section name: .rsrub
Source: WINMM.dll.5.dr Static PE information: section name: .fhgxfk
Source: WINMM.dll.5.dr Static PE information: section name: .wqpbrq
Source: WINMM.dll.5.dr Static PE information: section name: .xlhbgj
Source: WINMM.dll.5.dr Static PE information: section name: .rzgl
Source: WINMM.dll.5.dr Static PE information: section name: .yic
Source: WINMM.dll.5.dr Static PE information: section name: .zfmbo
Source: WINMM.dll.5.dr Static PE information: section name: .kurwl
Source: WINMM.dll.5.dr Static PE information: section name: .crlsf
Source: WINMM.dll.5.dr Static PE information: section name: .wrn
Source: WINMM.dll.5.dr Static PE information: section name: .blcv
Source: WINMM.dll.5.dr Static PE information: section name: .roblb
Source: WINMM.dll.5.dr Static PE information: section name: .yblxa
Source: WINMM.dll.5.dr Static PE information: section name: .tfy
Source: WINMM.dll.5.dr Static PE information: section name: .wsmv
Source: WINMM.dll.5.dr Static PE information: section name: .hrs
Source: WINMM.dll.5.dr Static PE information: section name: .ppapg
Source: WINMM.dll.5.dr Static PE information: section name: .udm
Source: WINMM.dll.5.dr Static PE information: section name: .fxc
Source: WINMM.dll.5.dr Static PE information: section name: .fvxxk
Source: WINMM.dll.5.dr Static PE information: section name: .zmj
Source: WINMM.dll.5.dr Static PE information: section name: .zvz
Source: WINMM.dll.5.dr Static PE information: section name: .xyiz
Source: WINMM.dll.5.dr Static PE information: section name: .gbzxp
Source: WINMM.dll.5.dr Static PE information: section name: .kkivgv
Source: WINMM.dll.5.dr Static PE information: section name: .evwibb
Source: WINMM.dll.5.dr Static PE information: section name: .aao
PE file contains an invalid checksum
Source: FVEWIZ.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x219e6e
Source: TAPI32.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x21d462
Source: DUI70.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x25ec74
Source: WINSTA.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x218cc7
Source: SYSDM.CPL.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x21750b
Source: WINMM.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2211c1
Source: VERSION.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x21b310
Source: A1ogRC4R34.dll Static PE information: real checksum: 0x7d786c40 should be: 0x21d47c
Source: dpx.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x21e2ea
Binary contains a suspicious time stamp
Source: rdpinit.exe.5.dr Static PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\fID\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\fID\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\VcAfkDB\unregmp2.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\uBsjD\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A82EA4 rdtsc 24_2_00007FF785A82EA4
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 GetSystemInfo, 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: explorer.exe, 00000005.00000000.278790068.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.236866941.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.235527628.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.279536555.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir99

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A82EA4 VerSetConditionMask,VerifyVersionInfoW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetP 24_2_00007FF785A82EA4
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A82EA4 rdtsc 24_2_00007FF785A82EA4
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose, 1_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00007FF785AB72B4
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF785AAEA28
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAF1E0 SetUnhandledExceptionFilter, 24_2_00007FF785AAF1E0
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Code function: 31_2_00007FF69E092780 SetUnhandledExceptionFilter, 31_2_00007FF69E092780
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Code function: 31_2_00007FF69E092AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF69E092AB4

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: WINSTA.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 Jump to behavior
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp, rdpinit.exe Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.277225784.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Queries volume information: unknown VolumeInformation Jump to behavior
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AB060C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 24_2_00007FF785AB060C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AAE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA, 24_2_00007FF785AAE34B

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA3630 SetPropW,RpcBindingFree, 24_2_00007FF785AA3630
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen, 24_2_00007FF785AA1DF0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785A8D87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle, 24_2_00007FF785A8D87C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW, 24_2_00007FF785AA1FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW, 24_2_00007FF785AA3FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe Code function: 24_2_00007FF785AA3F90 RpcBindingFree, 24_2_00007FF785AA3F90
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Code function: 31_2_00007FF69E0921B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree, 31_2_00007FF69E0921B8
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Code function: 31_2_00007FF69E0922F0 RpcBindingFree, 31_2_00007FF69E0922F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492806 Sample: A1ogRC4R34 Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 53 Changes memory attributes in foreign processes to executable or writable 10->53 55 Uses Atom Bombing / ProGate to inject into other processes 10->55 57 Queues an APC in another process (thread injection) 10->57 19 explorer.exe 2 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\uBsjD\DUI70.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\FVEWIZ.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\TAPI32.dll, PE32+ 19->37 dropped 39 13 other files (5 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 51 Accesses ntoskrnl, likely to find offsets for exploits 19->51 25 rdpinit.exe 19->25         started        27 DmNotificationBroker.exe 19->27         started        29 rdpinit.exe 19->29         started        31 DmNotificationBroker.exe 19->31         started        signatures8 process9
No contacted IP infos