Play interactive tour

Edit tour

Windows Analysis Report A1ogRC4R34

Overview

General Information

Sample Name:	A1ogRC4R34 (renamed file extension from none to dll)
Analysis ID:	492806
MD5:	5edd6ba336c4de29f55cadfd2167a67e
SHA1:	af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256:	eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Accesses ntoskrnl, likely to find offsets for exploits

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Drops files with a non-matching file extension (content does not match file extension)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7096 cmdline: loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 3192 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6396 cmdline: rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6408 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rdpinit.exe (PID: 6372 cmdline: C:\Windows\system32\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)

rdpinit.exe (PID: 5620 cmdline: C:\Users\user\AppData\Local\fID\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)

DmNotificationBroker.exe (PID: 4592 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)

DmNotificationBroker.exe (PID: 5212 cmdline: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)

BitLockerWizardElev.exe (PID: 4916 cmdline: C:\Windows\system32\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)

BitLockerWizardElev.exe (PID: 6400 cmdline: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)

wusa.exe (PID: 3676 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

wusa.exe (PID: 964 cmdline: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)

SystemPropertiesAdvanced.exe (PID: 6548 cmdline: C:\Windows\system32\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)

SystemPropertiesAdvanced.exe (PID: 6656 cmdline: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)

unregmp2.exe (PID: 7140 cmdline: C:\Windows\system32\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)

rundll32.exe (PID: 6492 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3684 cmdline: rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000028.00000002.476229981.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000026.00000002.449479227.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000022.00000002.416996891.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: A1ogRC4R34.dll	Virustotal: Detection: 62%	Perma Link
Source: A1ogRC4R34.dll	Metadefender: Detection: 57%	Perma Link
Source: A1ogRC4R34.dll	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Show sources

Source: A1ogRC4R34.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452

Machine Learning detection for sample

Show sources

Source: A1ogRC4R34.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\fID\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,

Exploits:

Accesses ntoskrnl, likely to find offsets for exploits

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\system32\ntkrnlmp.exe

Source: A1ogRC4R34.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000028.00000002.476229981.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.449479227.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.416996891.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A82EA4
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAE688
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB8E00
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785ABA908
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A8D87C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A91780
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB7ACC
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB9B14
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB8A40
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785ABB1C0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAE12C
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB1978
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB4CD0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A9FCF0
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAFC6C

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140046C90 NtClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000000014006A4B0 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle,

Source: DmNotificationBroker.exe.5.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BitLockerWizardElev.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: FVEWIZ.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: TAPI32.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: DUI70.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: WINSTA.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: SYSDM.CPL.5.dr	Static PE information: Number of sections : 48 > 10
Source: WINMM.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: VERSION.dll.5.dr	Static PE information: Number of sections : 48 > 10
Source: A1ogRC4R34.dll	Static PE information: Number of sections : 47 > 10
Source: dpx.dll.5.dr	Static PE information: Number of sections : 47 > 10

Source: A1ogRC4R34.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FVEWIZ.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpx.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TAPI32.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: A1ogRC4R34.dll	Virustotal: Detection: 62%
Source: A1ogRC4R34.dll	Metadefender: Detection: 57%
Source: A1ogRC4R34.dll	ReversingLabs: Detection: 75%

Source: A1ogRC4R34.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\fID\rdpinit.exe C:\Users\user\AppData\Local\fID\rdpinit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDLL@38/17@0/0

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A91D80 CoCreateInstance,CoSetProxyBlanket,

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA

Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0ad3bd68-c5ec-a10f-ef97-5ace4ed7d359}
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Mutant created: \Sessions\1\BaseNamedObjects\{f429f929-471a-28a5-5cf5-8c81149c5888}

Source: rdpinit.exe

String found in binary or memory: Re-Start RdpShell failed

Source: A1ogRC4R34.dll

Static PE information: More than 166 > 100 exports found

Source: A1ogRC4R34.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: A1ogRC4R34.dll

Static file information: File size 2166784 > 1048576

Source: A1ogRC4R34.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_0000000140056A4D push rdi; ret
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A94162 push rcx; ret

Source: A1ogRC4R34.dll	Static PE information: section name: .qkm
Source: A1ogRC4R34.dll	Static PE information: section name: .cvjb
Source: A1ogRC4R34.dll	Static PE information: section name: .tlmkv
Source: A1ogRC4R34.dll	Static PE information: section name: .wucsxe
Source: A1ogRC4R34.dll	Static PE information: section name: .fltwtj
Source: A1ogRC4R34.dll	Static PE information: section name: .sfplio
Source: A1ogRC4R34.dll	Static PE information: section name: .rpg
Source: A1ogRC4R34.dll	Static PE information: section name: .bewzc
Source: A1ogRC4R34.dll	Static PE information: section name: .vksvaw
Source: A1ogRC4R34.dll	Static PE information: section name: .wmhg
Source: A1ogRC4R34.dll	Static PE information: section name: .kswemc
Source: A1ogRC4R34.dll	Static PE information: section name: .kaxfk
Source: A1ogRC4R34.dll	Static PE information: section name: .pjf
Source: A1ogRC4R34.dll	Static PE information: section name: .retjqj
Source: A1ogRC4R34.dll	Static PE information: section name: .mizn
Source: A1ogRC4R34.dll	Static PE information: section name: .rsrub
Source: A1ogRC4R34.dll	Static PE information: section name: .fhgxfk
Source: A1ogRC4R34.dll	Static PE information: section name: .wqpbrq
Source: A1ogRC4R34.dll	Static PE information: section name: .xlhbgj
Source: A1ogRC4R34.dll	Static PE information: section name: .rzgl
Source: A1ogRC4R34.dll	Static PE information: section name: .yic
Source: A1ogRC4R34.dll	Static PE information: section name: .zfmbo
Source: A1ogRC4R34.dll	Static PE information: section name: .kurwl
Source: A1ogRC4R34.dll	Static PE information: section name: .crlsf
Source: A1ogRC4R34.dll	Static PE information: section name: .wrn
Source: A1ogRC4R34.dll	Static PE information: section name: .blcv
Source: A1ogRC4R34.dll	Static PE information: section name: .roblb
Source: A1ogRC4R34.dll	Static PE information: section name: .yblxa
Source: A1ogRC4R34.dll	Static PE information: section name: .tfy
Source: A1ogRC4R34.dll	Static PE information: section name: .wsmv
Source: A1ogRC4R34.dll	Static PE information: section name: .hrs
Source: A1ogRC4R34.dll	Static PE information: section name: .ppapg
Source: A1ogRC4R34.dll	Static PE information: section name: .udm
Source: A1ogRC4R34.dll	Static PE information: section name: .fxc
Source: A1ogRC4R34.dll	Static PE information: section name: .fvxxk
Source: A1ogRC4R34.dll	Static PE information: section name: .zmj
Source: A1ogRC4R34.dll	Static PE information: section name: .zvz
Source: A1ogRC4R34.dll	Static PE information: section name: .xyiz
Source: A1ogRC4R34.dll	Static PE information: section name: .gbzxp
Source: A1ogRC4R34.dll	Static PE information: section name: .kkivgv
Source: A1ogRC4R34.dll	Static PE information: section name: .evwibb
Source: rdpinit.exe.5.dr	Static PE information: section name: .imrsiv
Source: DmNotificationBroker.exe.5.dr	Static PE information: section name: .imrsiv
Source: WINSTA.dll.5.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.5.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.5.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.5.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.5.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.5.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.5.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.5.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.5.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.5.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.5.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.5.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.5.dr	Static PE information: section name: .pjf
Source: WINSTA.dll.5.dr	Static PE information: section name: .retjqj
Source: WINSTA.dll.5.dr	Static PE information: section name: .mizn
Source: WINSTA.dll.5.dr	Static PE information: section name: .rsrub
Source: WINSTA.dll.5.dr	Static PE information: section name: .fhgxfk
Source: WINSTA.dll.5.dr	Static PE information: section name: .wqpbrq
Source: WINSTA.dll.5.dr	Static PE information: section name: .xlhbgj
Source: WINSTA.dll.5.dr	Static PE information: section name: .rzgl
Source: WINSTA.dll.5.dr	Static PE information: section name: .yic
Source: WINSTA.dll.5.dr	Static PE information: section name: .zfmbo
Source: WINSTA.dll.5.dr	Static PE information: section name: .kurwl
Source: WINSTA.dll.5.dr	Static PE information: section name: .crlsf
Source: WINSTA.dll.5.dr	Static PE information: section name: .wrn
Source: WINSTA.dll.5.dr	Static PE information: section name: .blcv
Source: WINSTA.dll.5.dr	Static PE information: section name: .roblb
Source: WINSTA.dll.5.dr	Static PE information: section name: .yblxa
Source: WINSTA.dll.5.dr	Static PE information: section name: .tfy
Source: WINSTA.dll.5.dr	Static PE information: section name: .wsmv
Source: WINSTA.dll.5.dr	Static PE information: section name: .hrs
Source: WINSTA.dll.5.dr	Static PE information: section name: .ppapg
Source: WINSTA.dll.5.dr	Static PE information: section name: .udm
Source: WINSTA.dll.5.dr	Static PE information: section name: .fxc
Source: WINSTA.dll.5.dr	Static PE information: section name: .fvxxk
Source: WINSTA.dll.5.dr	Static PE information: section name: .zmj
Source: WINSTA.dll.5.dr	Static PE information: section name: .zvz
Source: WINSTA.dll.5.dr	Static PE information: section name: .xyiz
Source: WINSTA.dll.5.dr	Static PE information: section name: .gbzxp
Source: WINSTA.dll.5.dr	Static PE information: section name: .kkivgv
Source: WINSTA.dll.5.dr	Static PE information: section name: .evwibb
Source: WINSTA.dll.5.dr	Static PE information: section name: .rqefr
Source: DUI70.dll.5.dr	Static PE information: section name: .qkm
Source: DUI70.dll.5.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.5.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.5.dr	Static PE information: section name: .rpg
Source: DUI70.dll.5.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.5.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.5.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.5.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.5.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.5.dr	Static PE information: section name: .pjf
Source: DUI70.dll.5.dr	Static PE information: section name: .retjqj
Source: DUI70.dll.5.dr	Static PE information: section name: .mizn
Source: DUI70.dll.5.dr	Static PE information: section name: .rsrub
Source: DUI70.dll.5.dr	Static PE information: section name: .fhgxfk
Source: DUI70.dll.5.dr	Static PE information: section name: .wqpbrq
Source: DUI70.dll.5.dr	Static PE information: section name: .xlhbgj
Source: DUI70.dll.5.dr	Static PE information: section name: .rzgl
Source: DUI70.dll.5.dr	Static PE information: section name: .yic
Source: DUI70.dll.5.dr	Static PE information: section name: .zfmbo
Source: DUI70.dll.5.dr	Static PE information: section name: .kurwl
Source: DUI70.dll.5.dr	Static PE information: section name: .crlsf
Source: DUI70.dll.5.dr	Static PE information: section name: .wrn
Source: DUI70.dll.5.dr	Static PE information: section name: .blcv
Source: DUI70.dll.5.dr	Static PE information: section name: .roblb
Source: DUI70.dll.5.dr	Static PE information: section name: .yblxa
Source: DUI70.dll.5.dr	Static PE information: section name: .tfy
Source: DUI70.dll.5.dr	Static PE information: section name: .wsmv
Source: DUI70.dll.5.dr	Static PE information: section name: .hrs
Source: DUI70.dll.5.dr	Static PE information: section name: .ppapg
Source: DUI70.dll.5.dr	Static PE information: section name: .udm
Source: DUI70.dll.5.dr	Static PE information: section name: .fxc
Source: DUI70.dll.5.dr	Static PE information: section name: .fvxxk
Source: DUI70.dll.5.dr	Static PE information: section name: .zmj
Source: DUI70.dll.5.dr	Static PE information: section name: .zvz
Source: DUI70.dll.5.dr	Static PE information: section name: .xyiz
Source: DUI70.dll.5.dr	Static PE information: section name: .gbzxp
Source: DUI70.dll.5.dr	Static PE information: section name: .kkivgv
Source: DUI70.dll.5.dr	Static PE information: section name: .evwibb
Source: DUI70.dll.5.dr	Static PE information: section name: .kcklp
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .qkm
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .cvjb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .tlmkv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wucsxe
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fltwtj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .sfplio
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rpg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .bewzc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .vksvaw
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wmhg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kswemc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kaxfk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .pjf
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .retjqj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .mizn
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rsrub
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fhgxfk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wqpbrq
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .xlhbgj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .rzgl
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .yic
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zfmbo
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kurwl
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .crlsf
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wrn
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .blcv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .roblb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .yblxa
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .tfy
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .wsmv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .hrs
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .ppapg
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .udm
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fxc
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .fvxxk
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zmj
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .zvz
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .xyiz
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .gbzxp
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .kkivgv
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .evwibb
Source: FVEWIZ.dll.5.dr	Static PE information: section name: .nzduo
Source: dpx.dll.5.dr	Static PE information: section name: .qkm
Source: dpx.dll.5.dr	Static PE information: section name: .cvjb
Source: dpx.dll.5.dr	Static PE information: section name: .tlmkv
Source: dpx.dll.5.dr	Static PE information: section name: .wucsxe
Source: dpx.dll.5.dr	Static PE information: section name: .fltwtj
Source: dpx.dll.5.dr	Static PE information: section name: .sfplio
Source: dpx.dll.5.dr	Static PE information: section name: .rpg
Source: dpx.dll.5.dr	Static PE information: section name: .bewzc
Source: dpx.dll.5.dr	Static PE information: section name: .vksvaw
Source: dpx.dll.5.dr	Static PE information: section name: .wmhg
Source: dpx.dll.5.dr	Static PE information: section name: .kswemc
Source: dpx.dll.5.dr	Static PE information: section name: .kaxfk
Source: dpx.dll.5.dr	Static PE information: section name: .pjf
Source: dpx.dll.5.dr	Static PE information: section name: .retjqj
Source: dpx.dll.5.dr	Static PE information: section name: .mizn
Source: dpx.dll.5.dr	Static PE information: section name: .rsrub
Source: dpx.dll.5.dr	Static PE information: section name: .fhgxfk
Source: dpx.dll.5.dr	Static PE information: section name: .wqpbrq
Source: dpx.dll.5.dr	Static PE information: section name: .xlhbgj
Source: dpx.dll.5.dr	Static PE information: section name: .rzgl
Source: dpx.dll.5.dr	Static PE information: section name: .yic
Source: dpx.dll.5.dr	Static PE information: section name: .zfmbo
Source: dpx.dll.5.dr	Static PE information: section name: .kurwl
Source: dpx.dll.5.dr	Static PE information: section name: .crlsf
Source: dpx.dll.5.dr	Static PE information: section name: .wrn
Source: dpx.dll.5.dr	Static PE information: section name: .blcv
Source: dpx.dll.5.dr	Static PE information: section name: .roblb
Source: dpx.dll.5.dr	Static PE information: section name: .yblxa
Source: dpx.dll.5.dr	Static PE information: section name: .tfy
Source: dpx.dll.5.dr	Static PE information: section name: .wsmv
Source: dpx.dll.5.dr	Static PE information: section name: .hrs
Source: dpx.dll.5.dr	Static PE information: section name: .ppapg
Source: dpx.dll.5.dr	Static PE information: section name: .udm
Source: dpx.dll.5.dr	Static PE information: section name: .fxc
Source: dpx.dll.5.dr	Static PE information: section name: .fvxxk
Source: dpx.dll.5.dr	Static PE information: section name: .zmj
Source: dpx.dll.5.dr	Static PE information: section name: .zvz
Source: dpx.dll.5.dr	Static PE information: section name: .xyiz
Source: dpx.dll.5.dr	Static PE information: section name: .gbzxp
Source: dpx.dll.5.dr	Static PE information: section name: .kkivgv
Source: dpx.dll.5.dr	Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fhgxfk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wqpbrq
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xlhbgj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .rzgl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yic
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zfmbo
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kurwl
Source: SYSDM.CPL.5.dr	Static PE information: section name: .crlsf
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wrn
Source: SYSDM.CPL.5.dr	Static PE information: section name: .blcv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .roblb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .yblxa
Source: SYSDM.CPL.5.dr	Static PE information: section name: .tfy
Source: SYSDM.CPL.5.dr	Static PE information: section name: .wsmv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .hrs
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ppapg
Source: SYSDM.CPL.5.dr	Static PE information: section name: .udm
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fxc
Source: SYSDM.CPL.5.dr	Static PE information: section name: .fvxxk
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zmj
Source: SYSDM.CPL.5.dr	Static PE information: section name: .zvz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .xyiz
Source: SYSDM.CPL.5.dr	Static PE information: section name: .gbzxp
Source: SYSDM.CPL.5.dr	Static PE information: section name: .kkivgv
Source: SYSDM.CPL.5.dr	Static PE information: section name: .evwibb
Source: SYSDM.CPL.5.dr	Static PE information: section name: .ffktuw
Source: VERSION.dll.5.dr	Static PE information: section name: .qkm
Source: VERSION.dll.5.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr	Static PE information: section name: .rpg
Source: VERSION.dll.5.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .pjf
Source: VERSION.dll.5.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.5.dr	Static PE information: section name: .mizn
Source: VERSION.dll.5.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.5.dr	Static PE information: section name: .fhgxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .wqpbrq
Source: VERSION.dll.5.dr	Static PE information: section name: .xlhbgj
Source: VERSION.dll.5.dr	Static PE information: section name: .rzgl
Source: VERSION.dll.5.dr	Static PE information: section name: .yic
Source: VERSION.dll.5.dr	Static PE information: section name: .zfmbo
Source: VERSION.dll.5.dr	Static PE information: section name: .kurwl
Source: VERSION.dll.5.dr	Static PE information: section name: .crlsf
Source: VERSION.dll.5.dr	Static PE information: section name: .wrn
Source: VERSION.dll.5.dr	Static PE information: section name: .blcv
Source: VERSION.dll.5.dr	Static PE information: section name: .roblb
Source: VERSION.dll.5.dr	Static PE information: section name: .yblxa
Source: VERSION.dll.5.dr	Static PE information: section name: .tfy
Source: VERSION.dll.5.dr	Static PE information: section name: .wsmv
Source: VERSION.dll.5.dr	Static PE information: section name: .hrs
Source: VERSION.dll.5.dr	Static PE information: section name: .ppapg
Source: VERSION.dll.5.dr	Static PE information: section name: .udm
Source: VERSION.dll.5.dr	Static PE information: section name: .fxc
Source: VERSION.dll.5.dr	Static PE information: section name: .fvxxk
Source: VERSION.dll.5.dr	Static PE information: section name: .zmj
Source: VERSION.dll.5.dr	Static PE information: section name: .zvz
Source: VERSION.dll.5.dr	Static PE information: section name: .xyiz
Source: VERSION.dll.5.dr	Static PE information: section name: .gbzxp
Source: VERSION.dll.5.dr	Static PE information: section name: .kkivgv
Source: VERSION.dll.5.dr	Static PE information: section name: .evwibb
Source: VERSION.dll.5.dr	Static PE information: section name: .swia
Source: TAPI32.dll.5.dr	Static PE information: section name: .qkm
Source: TAPI32.dll.5.dr	Static PE information: section name: .cvjb
Source: TAPI32.dll.5.dr	Static PE information: section name: .tlmkv
Source: TAPI32.dll.5.dr	Static PE information: section name: .wucsxe
Source: TAPI32.dll.5.dr	Static PE information: section name: .fltwtj
Source: TAPI32.dll.5.dr	Static PE information: section name: .sfplio
Source: TAPI32.dll.5.dr	Static PE information: section name: .rpg
Source: TAPI32.dll.5.dr	Static PE information: section name: .bewzc
Source: TAPI32.dll.5.dr	Static PE information: section name: .vksvaw
Source: TAPI32.dll.5.dr	Static PE information: section name: .wmhg
Source: TAPI32.dll.5.dr	Static PE information: section name: .kswemc
Source: TAPI32.dll.5.dr	Static PE information: section name: .kaxfk
Source: TAPI32.dll.5.dr	Static PE information: section name: .pjf
Source: TAPI32.dll.5.dr	Static PE information: section name: .retjqj
Source: TAPI32.dll.5.dr	Static PE information: section name: .mizn
Source: TAPI32.dll.5.dr	Static PE information: section name: .rsrub
Source: TAPI32.dll.5.dr	Static PE information: section name: .fhgxfk
Source: TAPI32.dll.5.dr	Static PE information: section name: .wqpbrq
Source: TAPI32.dll.5.dr	Static PE information: section name: .xlhbgj
Source: TAPI32.dll.5.dr	Static PE information: section name: .rzgl
Source: TAPI32.dll.5.dr	Static PE information: section name: .yic
Source: TAPI32.dll.5.dr	Static PE information: section name: .zfmbo
Source: TAPI32.dll.5.dr	Static PE information: section name: .kurwl
Source: TAPI32.dll.5.dr	Static PE information: section name: .crlsf
Source: TAPI32.dll.5.dr	Static PE information: section name: .wrn
Source: TAPI32.dll.5.dr	Static PE information: section name: .blcv
Source: TAPI32.dll.5.dr	Static PE information: section name: .roblb
Source: TAPI32.dll.5.dr	Static PE information: section name: .yblxa
Source: TAPI32.dll.5.dr	Static PE information: section name: .tfy
Source: TAPI32.dll.5.dr	Static PE information: section name: .wsmv
Source: TAPI32.dll.5.dr	Static PE information: section name: .hrs
Source: TAPI32.dll.5.dr	Static PE information: section name: .ppapg
Source: TAPI32.dll.5.dr	Static PE information: section name: .udm
Source: TAPI32.dll.5.dr	Static PE information: section name: .fxc
Source: TAPI32.dll.5.dr	Static PE information: section name: .fvxxk
Source: TAPI32.dll.5.dr	Static PE information: section name: .zmj
Source: TAPI32.dll.5.dr	Static PE information: section name: .zvz
Source: TAPI32.dll.5.dr	Static PE information: section name: .xyiz
Source: TAPI32.dll.5.dr	Static PE information: section name: .gbzxp
Source: TAPI32.dll.5.dr	Static PE information: section name: .kkivgv
Source: TAPI32.dll.5.dr	Static PE information: section name: .evwibb
Source: TAPI32.dll.5.dr	Static PE information: section name: .apbeye
Source: WINMM.dll.5.dr	Static PE information: section name: .qkm
Source: WINMM.dll.5.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.5.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.5.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.5.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.5.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.5.dr	Static PE information: section name: .rpg
Source: WINMM.dll.5.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.5.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.5.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.5.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.5.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.5.dr	Static PE information: section name: .pjf
Source: WINMM.dll.5.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.5.dr	Static PE information: section name: .mizn
Source: WINMM.dll.5.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.5.dr	Static PE information: section name: .fhgxfk
Source: WINMM.dll.5.dr	Static PE information: section name: .wqpbrq
Source: WINMM.dll.5.dr	Static PE information: section name: .xlhbgj
Source: WINMM.dll.5.dr	Static PE information: section name: .rzgl
Source: WINMM.dll.5.dr	Static PE information: section name: .yic
Source: WINMM.dll.5.dr	Static PE information: section name: .zfmbo
Source: WINMM.dll.5.dr	Static PE information: section name: .kurwl
Source: WINMM.dll.5.dr	Static PE information: section name: .crlsf
Source: WINMM.dll.5.dr	Static PE information: section name: .wrn
Source: WINMM.dll.5.dr	Static PE information: section name: .blcv
Source: WINMM.dll.5.dr	Static PE information: section name: .roblb
Source: WINMM.dll.5.dr	Static PE information: section name: .yblxa
Source: WINMM.dll.5.dr	Static PE information: section name: .tfy
Source: WINMM.dll.5.dr	Static PE information: section name: .wsmv
Source: WINMM.dll.5.dr	Static PE information: section name: .hrs
Source: WINMM.dll.5.dr	Static PE information: section name: .ppapg
Source: WINMM.dll.5.dr	Static PE information: section name: .udm
Source: WINMM.dll.5.dr	Static PE information: section name: .fxc
Source: WINMM.dll.5.dr	Static PE information: section name: .fvxxk
Source: WINMM.dll.5.dr	Static PE information: section name: .zmj
Source: WINMM.dll.5.dr	Static PE information: section name: .zvz
Source: WINMM.dll.5.dr	Static PE information: section name: .xyiz
Source: WINMM.dll.5.dr	Static PE information: section name: .gbzxp
Source: WINMM.dll.5.dr	Static PE information: section name: .kkivgv
Source: WINMM.dll.5.dr	Static PE information: section name: .evwibb
Source: WINMM.dll.5.dr	Static PE information: section name: .aao

Source: FVEWIZ.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x219e6e
Source: TAPI32.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21d462
Source: DUI70.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x25ec74
Source: WINSTA.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x218cc7
Source: SYSDM.CPL.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21750b
Source: WINMM.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2211c1
Source: VERSION.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21b310
Source: A1ogRC4R34.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x21d47c
Source: dpx.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x21e2ea

Source: rdpinit.exe.5.dr

Static PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fID\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\fID\rdpinit.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VcAfkDB\unregmp2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uBsjD\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 rdtsc

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005C340 GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_000000014005D290 FindFirstFileExW,

Source: explorer.exe, 00000005.00000000.278790068.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.236866941.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.235527628.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.279536555.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.284113222.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000005.00000000.252062582.000000000113D000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir99

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 VerSetConditionMask,VerifyVersionInfoW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetP

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785A82EA4 rdtsc

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AB72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AAF1E0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E092780 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E092AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: WINSTA.dll.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1

Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp, rdpinit.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.277225784.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.252665962.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785AB060C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe

Code function: 24_2_00007FF785AAE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA,

Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3630 SetPropW,RpcBindingFree,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785A8D87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW,
Source: C:\Users\user\AppData\Local\fID\rdpinit.exe	Code function: 24_2_00007FF785AA3F90 RpcBindingFree,
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E0921B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree,
Source: C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe	Code function: 31_2_00007FF69E0922F0 RpcBindingFree,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Exploitation for Privilege Escalation1	Masquerading11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Process Injection312	Process Injection312	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Information Discovery25	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
A1ogRC4R34.dll	62%	Virustotal		Browse
A1ogRC4R34.dll	57%	Metadefender		Browse
A1ogRC4R34.dll	76%	ReversingLabs	Win64.Infostealer.Dridex
A1ogRC4R34.dll	100%	Avira	TR/Crypt.ZPACK.Gen
A1ogRC4R34.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\fID\WINSTA.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\uBsjD\DUI70.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\fID\WINSTA.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\uBsjD\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
31.2.DmNotificationBroker.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
24.2.rdpinit.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492806
Start date:	29.09.2021
Start time:	01:51:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	A1ogRC4R34 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDLL@38/17@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.6% (good quality ratio 6.9%) Quality average: 72.7% Quality standard deviation: 40.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.199.120.182, 204.79.197.200, 13.107.21.200, 23.54.113.45, 20.50.102.62, 20.199.120.151, 23.54.113.53, 20.199.120.85, 23.54.113.104, 23.0.174.200, 23.0.174.185, 23.10.249.26, 23.10.249.43, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\3HlyM7czl\SYSDM.CPL Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.4921794252523632
Encrypted:	false
SSDEEP:	12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	0BDAF2F3724797EAF4254B3B131700E6
SHA1:	4E9489103C1BE75098B7D9382F436D39BB65D828
SHA-256:	866FBAEAE3267C7FA20C1F9C8A0D0CFC1699B6D98793FBDE193BC28936F7DAC8
SHA-512:	68100D08A418F66E25BA08668E43AC77D151190CB5E0028B86E287763631B466E8FC86F0376C22ABD5E14A57B1014C90B4CFE8A0EB3B0836C0C2EEDE0A7C766D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\3HlyM7czl\SystemPropertiesAdvanced.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.065147438048501
Encrypted:	false
SSDEEP:	1536:UfuZktREC/rMcgEPJV+G57ThjEC0kzJP+V5Jl:VkzECTMpuDhjRVJG3
MD5:	82ED6250B9AA030DDC13DC075D2C16E3
SHA1:	BC2BDCF474A7315232136B29291166E789D1F280
SHA-256:	F321BB53BBC41C2CBFFABC56837F9FA723AA0C6ACB68A0C200CBC7427202DC9E
SHA-512:	94D34293F070F6505D6922977AC1EF8E08DB0D92DCA8823BCF7376FD81B3AA80D2BD0FEF21FC74BCE08EEBF82DF09114A71792945DE4E3BB1FD0929538DF489B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d.....o..........."..........>.................@....................................AS....`.......... .......................................&.......P..0'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...0'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\H3fqckDRC\dpx.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2166784
Entropy (8bit):	3.4966791942802127
Encrypted:	false
SSDEEP:	12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	623DB87A3F248EA64BE5D903D21E9FB6
SHA1:	F816BA14F36DF9361B275670075534F8CEBB0A02
SHA-256:	2FECFF3A874320ACB1D2B749243CAF4714BA9507435EB066CD719435AED7E9D7
SHA-512:	5AF3F294602CA4366663183A77F8FEA2A3A871228C911A0CB8D3772442F74FEAC3EF1989C9AEBFEC2C3D4C50AFC321EDA05A3D321BCE8841D2A06EB497312B41
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d./..DN^.........." ................p..........@..............................!.....@lx}..b.........................................,o.......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\H3fqckDRC\wusa.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	308736
Entropy (8bit):	6.55894801361276
Encrypted:	false
SSDEEP:	6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
MD5:	04CE745559916B99248F266BBF5F9ED9
SHA1:	76FA00103A89C735573D1D8946D8787A839475B6
SHA-256:	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
SHA-512:	B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SaryWtyzg\PresentationSettings.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	222208
Entropy (8bit):	6.618425906220987
Encrypted:	false
SSDEEP:	3072:dklO/b97taQPr5pT8as3lJwvkAarSvDZpFB+2xmh0QSoKKBlKxyAZEHA:Oo/b1txPlh8I+rUts2xmhfGKraEH
MD5:	76086DD04B6760277A2B897345A0B457
SHA1:	DC65093DB601FE7AA2F4C0C400D18F43DA92DCFA
SHA-256:	BF492302281E3CD4F023FB54E101D8C3BD00FFEAFF75B5D7FE0C1CA43F291A81
SHA-512:	6528C86BA0272274A907F8559DFD79C55D1A6BAF3A4545EF3F6CDC4C790CC9FBDB7A3A8A2E72D0ED39651975DF5967608111448D1351BDC659E8F0F5E8C72442
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.".>.q.>.q.>.q.F~q.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.>.q/>.q.Z.p.>.q.Z.q.>.q.Z.p.>.qRich.>.q........PE..d... ..8.........."......J... ...... O.........@.....................................9....`.......... ..........................................................x.......................T............................a...............b...............................text....H.......J.................. ..`.rdata...]...`...^...N..............@..@.data...H...........................@....pdata..x...........................@..@.rsrc...............................@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SaryWtyzg\WINMM.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.501635076472576
Encrypted:	false
SSDEEP:	12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	2AB1771EACAAB67C8DBCC40CC742146C
SHA1:	630753BE4D7354238AD511DEF9BEF46504102D67
SHA-256:	AEEEF877DA29CDBC34426C62C3C264346FE8570AA553056C8C6BB4D3758EAC1F
SHA-512:	A139373330E6607A61709BD5D9D1ADFCEEF8F6DEBE62ECE092C67267BA1171C2B40360BDAE286C7FC66C7027C6389F5C06C93CDA95389CE8A3DB54150F07AC8E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.h....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VcAfkDB\VERSION.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.492654327259235
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	0F593199E2816C0C8B8ED747CE1BEB85
SHA1:	423FD306E81B4F2D7FEF4D9F4F163BF5EE93EE7C
SHA-256:	B69C3AA0F262596A156376EA2931FC2324451A064F751DCE655F280650B046E5
SHA-512:	EC2234B909D85C89EE40C548CFC926D036A27B265F9793455AB6F2363AC66F81838F1D9288ECDB1BDEDA7D0C70A54EA8319BF6D0852C98FD24978A288BCABD7C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!.+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\VcAfkDB\unregmp2.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254976
Entropy (8bit):	5.093220071075157
Encrypted:	false
SSDEEP:	3072:1t+/6BNqqNRhdutq4jCoNhdxtYEbvyIwYKO8/+9vAwk4OdamabJ9:3Bhhd+7QKb
MD5:	9B517303C58CA8A450B97B0D71594CBB
SHA1:	BE75E3F10E17400DA7C0FAF70BF16EE7D0AA93A8
SHA-256:	2A38BFC3813D7E845F455B31DF099C8A6E657EF4556BFF681315F86A883A3314
SHA-512:	6A47EC7800E1F1FCDBB44A018147CE4A87FF0F5B94597B182AAE4E8545D9B18FAAAA07379BA1086D8F7785F0F66C36E4B6C68FCF49130333B8A9DC3A9E9E08E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.R.............y.......y.......y.......y..........w....y.......yf......y......Rich....................PE..d....Q&..........."..........^................@.............................0.......A....`.......... ..........................................................0.......................T....................V..(....U...............V...............................text...w........................... ..`.rdata..4...........................@..@.data....8.......&..................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\fID\WINSTA.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.5091748741070106
Encrypted:	false
SSDEEP:	12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6F22D93755FC031456BE2557F243015B
SHA1:	FC3E0F51E986057956F65B48296CB1AA197E8116
SHA-256:	EA2649CC270C4676E22323536EF5CFF6BA657383CFDDF1EF700E6CCE00ED9E11
SHA-512:	70CE3B19AA4485D82C7FB8E910CC789F7D004592AA8FD21DA1D25B600A2E699E00CB6577731CE81F226EFE451FB971C277055DF9FE667675B954E8F1AE0EB662
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\fID\rdpinit.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	6.414070673036673
Encrypted:	false
SSDEEP:	6144:fOzsB7eGjsO+VxyQ/qY4gCJkxkVPXqdzVxNwK3S3drxhUS4eMZfCZc/o:fOzsB7eGjb+VxynJkxkZ6dzV63drxhlF
MD5:	EF7C9CF6EA5B8B9C5C8320990714C35D
SHA1:	9CBD44DE4761F9383F2E0352035D52B86ECE80C2
SHA-256:	0FD9B6C366E042ED83BFC53C5EA1AAF43F13F53D97F220B5571681BB766C33FA
SHA-512:	C2F5E902DF725BC05F03052042767635689A35226CA1C3436ADF4835C57666B3E815FD386B80517734AC3B71F2FB15E48CE2F6739D669B5F68F4A8989713E8FC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.....S...S...S.j.S...S.v.R...S.v.R...S.v.R...S.v.R...S...S...S.v.R...S.vmS...S.v.R...SRich...S................PE..d...q............"..........f...... ..........@.............................p......+................ ..........................................@....@..........d ...........`..x.......T............................................................................text...<........................... ..`.imrsiv..................................rdata..............................@..@.data....:..........................@....pdata..d ......."..................@..@.rsrc........@......................@..@.reloc..x....`......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\kyOIt4HX\TAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2174976
Entropy (8bit):	3.512499889839238
Encrypted:	false
SSDEEP:	12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	99671622AFF90CD9D173CA46E372D3AC
SHA1:	B689B8799C7A057958AF0BFAFF233142AC54F761
SHA-256:	578AD60043FB755F8546C8418C9D8FDE64D2C4BA9F4467CE812AA14D702FA855
SHA-512:	021357EAE61F5E372F5675788D0CDFA09A252238F808419E75912B53DC5507D26D6EB1B27B26000A699E53C0E831C6ADBFE66E4BA63577AB0FB129F6A9D44AC2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@.............................0!.....@lx}..b...........................................!.V....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\kyOIt4HX\tcmsetup.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	4.999998588063228
Encrypted:	false
SSDEEP:	192:DIzBdu2Mhf/+G1jQ0pwPYqLmdO0O7RgZiLtzADWO4hxDcUh6UdBndOvfSWG0oW:GMVJjQ0dg0O7yk5ciJcUhLiSWG0oW
MD5:	0DDA495155D552D024593C4B3246C8FA
SHA1:	7501A7AD5DAA41462BEFF9127154BAF261A24A5B
SHA-256:	D3074CBD29678CA612C1F8AA93DE1F5B75108BE8187F0F2A2331BC302AD48CD9
SHA-512:	9159D8AF457591256BA87443E89ECE942DE40B8FF39586116C2026330B8AE9C20F96905547E87D98508951D2B4687069EFD018CC9E4A6C94A6C26D4B587F41B3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............Z...Z...Z..[...Z..[...Z..[...Z..[...Z...Z...Z..[...Z.:Z...Z..[...ZRich...Z................PE..d....E.H.........."..........,....... .........@..........................................`.......... .......................................9..x....p..P....`..D............... ....5..T............................0...............1...............................text............................... ..`.rdata..&....0......................@..@.data... ....P.......0..............@....pdata..D....`.......2..............@..@.rsrc...P....p.......4..............@..@.reloc.. ............>..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r7RKh\BitLockerWizardElev.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101888
Entropy (8bit):	6.95002760620154
Encrypted:	false
SSDEEP:	3072:k8kEZwnVS570M9kdatGCO+xmBc+hMPhPsx:1khVs7nyatGt+SYF
MD5:	3104EA9ECCA9ED71A382CCAAD618CEAE
SHA1:	9277108B7254F0C5BD241C2643902378925A8F9C
SHA-256:	D8CB004D4E8894AB4CA769C3CEC9A37B7FAB336DCDA1E6E9A15975DC64CEF370
SHA-512:	27C84C35461E37557BA27A7D9E9F86A47686DE73DDC74E001777F11EA8D5BE9B17604403875CF20124595010477F6F2ADDD797B9ACED79C514AEF2D2F1A019B7
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.`M.h3M.h3M.h3"Jm2O.h3"Jk2O.h3"Jl2_.h3"Ji2F.h3M.i3}.h3"Ja2L.h3"J.3L.h3"Jj2L.h3RichM.h3........................PE..d....C............"............................@....................................0.....`.......... ......................................D,..x....`...c...P.................. ....(..T............................ ...............!...............................text............................... ..`.rdata....... ......................@..@.data........@.......$..............@....pdata.......P.......&..............@..@.rsrc....c...`...d...(..............@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\r7RKh\FVEWIZ.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2170880
Entropy (8bit):	3.4988987994424146
Encrypted:	false
SSDEEP:	12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	E618EE247E3251D556DAF3D3C658C0A9
SHA1:	177C80CA1FDA1BA71113C7A1F648D911E8A0C4C9
SHA-256:	101AF5D6FC2DAA1B700D779CDBB54D9255FDEA3718BE0FC9F672B807346298C6
SHA-512:	261E7DE708350CAC5E52860F9432CDB1DEDA7289168C4A10F26CD36EABFBA28CA4DD3BBAF9708C9110E3FD13F9D22E5789D112D682CCCEC243F62E1D32980E30
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." ................p..........@............................. !.....@lx}..b...........................................!......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\uBsjD\DUI70.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2453504
Entropy (8bit):	4.027319224931197
Encrypted:	false
SSDEEP:	12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1XQ:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	6A41878B4C9B36A4455B22A8EBBC846F
SHA1:	CF9CFC24FDC9B744A867B81E452C18A04042A4E2
SHA-256:	BC2B240D729D4DB74F14D302EC83EBD06C1ED7F340CF7CA8BE11F0184B263CE0
SHA-512:	7526BAC5EBDF82F434BC5E753F038AF339ADE485F59108A90D3CBB1589397DE08BCDE4C390AA7008395974E1B56F290A7787BCBD5145074B367AE8C2DB0A3BBB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.0..DN^.........." .........P!.....p..........@.............................p%.....@lx}..b...........................................!.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.250876383836324
Encrypted:	false
SSDEEP:	768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
MD5:	1643D5735213BC89C0012F0E48253765
SHA1:	D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
SHA-256:	4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
SHA-512:	F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d.................".........V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(......................... ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4447
Entropy (8bit):	5.481123367178235
Encrypted:	false
SSDEEP:	96:JIj2Zt+j6ZP4zr1Q9EIj2Z0+ByNAI4v1lV3:O4tTgF8L40+8oXV3
MD5:	ED384AAFCE2EF80D0F36ED6D8B12E7B3
SHA1:	2D4B43B7864F08321B7702E6014A80D4BBAB0F24
SHA-256:	D55C29F6CD93EA549E21A9A294B036BB7621886B8DEDBDAFCA4BCFD287C0D8AD
SHA-512:	20B0483FBCA47C76328D8F0527C346DF626246EE0E70CACEC737C028CB6A9C2261C692BD07A00640459A96DBE0E1746D4DE44DDA6D1349F51CC7EF0B6ADE0E0C
Malicious:	false
Reputation:	unknown
Preview:	........................................user.........................................user.....................RSA1.................q00D..7..w.~......;<.Y......'7......VVmp/..."F.Q...#B......x.......K\|..K........~+:..:..%.J.+a(.....5...f.d...o...nV...........................z..O........D.Mb.G..m..#&....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....v?..`.G:AsQ.!..9mB........+...>............ ...!.Lt.}....S..!!.$'y.....D.$n..............4.A...A../.j.B.b.....6V:3..0...`..Ep....6.s..8....3.?`....LS..}F..+..Q_G..~.:........f..5...I..n.`..t..i....f.~b.rQ........#6.z...g...$.*y7...}B..>.Q6..,.....I_K.d........>.........d_.<..M0....D.p..>i.T.J...Q...}.g~... V7x...I.[&"ptk..x^.X.....\| @...~xB.....O.z...RA'^.}-..&....Ug._....f......F~.q^....;/.H....t.....8...A.ND.6...L.[j@...^.I..G.G^U=.[.2...k.7ln....@.:..l.8.....9@t.. ..m...j......-..........o-.t..4..V.k....k....u......`.J.skr<.`jq?....._.i...\..g@{..B.I5\|n)"..U+5.&......I...W..:#.d..`..o/......

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.5201402860449647
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	A1ogRC4R34.dll
File size:	2166784
MD5:	5edd6ba336c4de29f55cadfd2167a67e
SHA1:	af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256:	eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
SHA512:	01b133fad6f564e6736d5f7297284da9aa8cc67a1c28a57b7b7eb1989ee049318377df85fbbeda9f777c0d955f07706743dc2becc3994bf9727a8d040067f5d5
SSDEEP:	12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007F41A4B1713Fh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007F41A4B1711Eh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x20f010	0x196d	.evwibb
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64f2c	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sfplio	0x110000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rpg	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bewzc	0x157000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vksvaw	0x159000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wmhg	0x15a000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kswemc	0x15c000	0x36d	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kaxfk	0x15d000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pjf	0x15f000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retjqj	0x160000	0x7fd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mizn	0x161000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrub	0x162000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fhgxfk	0x164000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wqpbrq	0x1aa000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xlhbgj	0x1ab000	0xebe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rzgl	0x1ac000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yic	0x1ad000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zfmbo	0x1ae000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kurwl	0x1af000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crlsf	0x1b0000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wrn	0x1b2000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.blcv	0x1b9000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.roblb	0x1ba000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yblxa	0x1bb000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tfy	0x1bc000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wsmv	0x1bd000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hrs	0x1be000	0x16c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ppapg	0x1bf000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.udm	0x1c0000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fxc	0x1c2000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fvxxk	0x1c4000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zmj	0x1c5000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zvz	0x1c6000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xyiz	0x20c000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gbzxp	0x20d000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kkivgv	0x20e000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.evwibb	0x20f000	0x197d	0x2000	False	0.318115234375	data	4.72480866446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
LogonIdFromWinStationNameA	2	0x1400154cc
LogonIdFromWinStationNameW	3	0x14001e670
RemoteAssistancePrepareSystemRestore	4	0x1400019b0
ServerGetInternetConnectorStatus	5	0x14000b840
ServerLicensingClose	6	0x140003cdc
ServerLicensingDeactivateCurrentPolicy	7	0x14003d540
ServerLicensingFreePolicyInformation	8	0x1400382b0
ServerLicensingGetAvailablePolicyIds	9	0x140038e3c
ServerLicensingGetPolicy	10	0x14002eee4
ServerLicensingGetPolicyInformationA	11	0x14003c028
ServerLicensingGetPolicyInformationW	12	0x140035608
ServerLicensingLoadPolicy	13	0x140031ff4
ServerLicensingOpenA	14	0x140037a88
ServerLicensingOpenW	15	0x14001cb14
ServerLicensingSetPolicy	16	0x140020cec
ServerLicensingUnloadPolicy	17	0x14002ed04
ServerQueryInetConnectorInformationA	18	0x1400185c8
ServerQueryInetConnectorInformationW	19	0x140035b78
ServerSetInternetConnectorStatus	20	0x14000af38
WTSRegisterSessionNotificationEx	21	0x14001d320
WTSUnRegisterSessionNotificationEx	22	0x14002e560
WinStationActivateLicense	23	0x14000744c
WinStationAutoReconnect	24	0x1400103c0
WinStationBroadcastSystemMessage	25	0x140033dac
WinStationCheckAccess	26	0x14000b518
WinStationCheckLoopBack	27	0x1400087e4
WinStationCloseServer	28	0x14001150c
WinStationConnectA	29	0x140037f54
WinStationConnectAndLockDesktop	30	0x140037230
WinStationConnectCallback	31	0x140024504
WinStationConnectEx	32	0x140009568
WinStationConnectW	33	0x14001e29c
WinStationCreateChildSessionTransport	34	0x14002b190
WinStationDisconnect	35	0x140033000
WinStationEnableChildSessions	36	0x14000e96c
WinStationEnumerateA	37	0x140011a98
WinStationEnumerateExW	38	0x14001faf4
WinStationEnumerateLicenses	39	0x14002d380
WinStationEnumerateProcesses	40	0x14003566c
WinStationEnumerateW	41	0x1400170b0
WinStationEnumerate_IndexedA	42	0x14002764c
WinStationEnumerate_IndexedW	43	0x14000da0c
WinStationFreeConsoleNotification	44	0x1400406e4
WinStationFreeEXECENVDATAEX	45	0x14003159c
WinStationFreeGAPMemory	46	0x1400141e0
WinStationFreeMemory	47	0x14000ef30
WinStationFreePropertyValue	48	0x140012754
WinStationFreeUserCertificates	49	0x14000e344
WinStationFreeUserCredentials	50	0x14001f31c
WinStationFreeUserSessionInfo	51	0x14002b4bc
WinStationGenerateLicense	52	0x14002d08c
WinStationGetAllProcesses	53	0x14001c2e8
WinStationGetAllSessionsEx	54	0x14001fea0
WinStationGetAllSessionsW	55	0x140019b9c
WinStationGetAllUserSessions	56	0x14001d4e0
WinStationGetChildSessionId	57	0x14000fb5c
WinStationGetConnectionProperty	58	0x1400148b4
WinStationGetCurrentSessionCapabilities	59	0x140005448
WinStationGetCurrentSessionConnectionProperty	60	0x140021e94
WinStationGetCurrentSessionTerminalName	61	0x140014980
WinStationGetDeviceId	62	0x14001e4fc
WinStationGetInitialApplication	63	0x140003a94
WinStationGetLanAdapterNameA	64	0x14003500c
WinStationGetLanAdapterNameW	65	0x1400304b8
WinStationGetLoggedOnCount	66	0x140037198
WinStationGetMachinePolicy	67	0x140028a38
WinStationGetParentSessionId	68	0x140018ad8
WinStationGetProcessSid	69	0x140023484
WinStationGetRedirectAuthInfo	70	0x140021df4
WinStationGetRestrictedLogonInfo	71	0x14000c674
WinStationGetSessionIds	72	0x140001acc
WinStationGetTermSrvCountersValue	73	0x14001665c
WinStationGetUserCertificates	74	0x140008794
WinStationGetUserCredentials	75	0x14003e30c
WinStationGetUserProfile	76	0x140002fbc
WinStationInstallLicense	77	0x14001ebcc
WinStationIsChildSessionsEnabled	78	0x14000a870
WinStationIsCurrentSessionRemoteable	79	0x1400310d4
WinStationIsHelpAssistantSession	80	0x14003e898
WinStationIsSessionPermitted	81	0x14000da1c
WinStationIsSessionRemoteable	82	0x1400179c0
WinStationNameFromLogonIdA	83	0x140034f78
WinStationNameFromLogonIdW	84	0x140024ed4
WinStationNegotiateSession	85	0x140015328
WinStationNtsdDebug	86	0x140030d6c
WinStationOpenServerA	87	0x140013ba8
WinStationOpenServerExA	88	0x14001d588
WinStationOpenServerExW	89	0x14003caec
WinStationOpenServerW	90	0x140003af8
WinStationPreCreateGlassReplacementSession	91	0x140036ff0
WinStationPreCreateGlassReplacementSessionEx	92	0x140018ab8
WinStationQueryAllowConcurrentConnections	93	0x14001d4bc
WinStationQueryCurrentSessionInformation	94	0x14000f5d0
WinStationQueryEnforcementCore	95	0x140034e24
WinStationQueryInformationA	96	0x140009954
WinStationQueryInformationW	97	0x140009c90
WinStationQueryLicense	98	0x14002f848
WinStationQueryLogonCredentialsW	99	0x14000bfb8
WinStationQuerySessionVirtualIP	100	0x14000ed90
WinStationQueryUpdateRequired	101	0x14001bb78
WinStationRcmShadow2	102	0x14003a4fc
WinStationRedirectErrorMessage	103	0x140003fc4
WinStationRedirectLogonBeginPainting	104	0x140040b1c
WinStationRedirectLogonError	105	0x1400329d0
WinStationRedirectLogonMessage	106	0x14001a8e8
WinStationRedirectLogonStatus	107	0x14000dcb0
WinStationRegisterConsoleNotification	108	0x14003db9c
WinStationRegisterConsoleNotificationEx	109	0x140004320
WinStationRegisterConsoleNotificationEx2	1	0x14000c190
WinStationRegisterCurrentSessionNotificationEvent	110	0x14001871c
WinStationRegisterNotificationEvent	111	0x14001caec
WinStationRemoveLicense	112	0x14000ad28
WinStationRenameA	113	0x14003e0a0
WinStationRenameW	114	0x140010064
WinStationReportUIResult	115	0x140030854
WinStationReset	116	0x1400280b0
WinStationRevertFromServicesSession	117	0x140020f9c
WinStationSendMessageA	118	0x14003dc44
WinStationSendMessageW	119	0x140025608
WinStationSendWindowMessage	120	0x1400378e4
WinStationServerPing	121	0x140027898
WinStationSetAutologonPassword	122	0x140015b60
WinStationSetInformationA	123	0x140036334
WinStationSetInformationW	124	0x14002f668
WinStationSetPoolCount	125	0x140012008
WinStationSetRenderHint	126	0x140010d54
WinStationShadow	127	0x14001f2bc
WinStationShadowAccessCheck	128	0x140036038
WinStationShadowStop	129	0x14000a3ec
WinStationShadowStop2	130	0x14001503c
WinStationShutdownSystem	131	0x14003a0e4
WinStationSwitchToServicesSession	132	0x140020bcc
WinStationSystemShutdownStarted	133	0x14003fcb8
WinStationSystemShutdownWait	134	0x14001536c
WinStationTerminateGlassReplacementSession	135	0x140028a90
WinStationTerminateProcess	136	0x140023fcc
WinStationUnRegisterConsoleNotification	137	0x14001e86c
WinStationUnRegisterNotificationEvent	138	0x14002ba70
WinStationUserLoginAccessCheck	139	0x14001b4d0
WinStationVerify	140	0x140027dbc
WinStationVirtualOpen	141	0x14000bec0
WinStationVirtualOpenEx	142	0x140020a5c
WinStationWaitSystemEvent	143	0x14000ab44
_NWLogonQueryAdmin	144	0x14001fc60
_NWLogonSetAdmin	145	0x14001ab3c
_WinStationAnnoyancePopup	146	0x140040f10
_WinStationBeepOpen	147	0x140039a50
_WinStationBreakPoint	148	0x14003182c
_WinStationCallback	149	0x14003d540
_WinStationCheckForApplicationName	150	0x140022e50
_WinStationFUSCanRemoteUserDisconnect	151	0x140028074
_WinStationGetApplicationInfo	152	0x14000a000
_WinStationNotifyDisconnectPipe	153	0x140006300
_WinStationNotifyLogoff	154	0x140001f14
_WinStationNotifyLogon	155	0x14002a208
_WinStationNotifyNewSession	156	0x140040c10
_WinStationOpenSessionDirectory	157	0x140008768
_WinStationReInitializeSecurity	158	0x140031648
_WinStationReadRegistry	159	0x140026d80
_WinStationSessionInitialized	160	0x1400057e0
_WinStationShadowTarget	161	0x14003b860
_WinStationShadowTarget2	162	0x140036f6c
_WinStationShadowTargetSetup	163	0x14000a8e8
_WinStationUpdateClientCachedCredentials	164	0x1400396cc
_WinStationUpdateSettings	165	0x1400388a4
_WinStationUpdateUserConfig	166	0x140007c8c
_WinStationWaitForConnect	167	0x14002f99c

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:52:31.790808916 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:31.823350906 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:32.465501070 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:32.498804092 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:32.730051041 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:32.765635967 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:33.804905891 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:33.817478895 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:33.818048954 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:33.848880053 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:34.985820055 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:34.999018908 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:40.845426083 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:40.859277964 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:42.300054073 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:42.336080074 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:51.166105032 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:51.181098938 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 29, 2021 01:52:55.513081074 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:52:55.547306061 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:00.430376053 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:00.457186937 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:09.478631020 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:09.492873907 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:19.529807091 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:19.543225050 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:26.765866041 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:26.779737949 CEST	53	50394	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:31.316761017 CEST	58530	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:31.335577965 CEST	53	58530	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:32.891992092 CEST	53813	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:32.906454086 CEST	53	53813	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:36.811083078 CEST	63732	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:36.830099106 CEST	53	63732	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:41.497210026 CEST	57344	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:41.514108896 CEST	53	57344	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:42.094588995 CEST	54450	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:42.162460089 CEST	53	54450	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:43.057723999 CEST	59261	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:43.071368933 CEST	53	59261	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:43.715352058 CEST	57151	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:43.728193045 CEST	53	57151	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:44.108999014 CEST	59413	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:44.176162004 CEST	53	59413	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:44.776848078 CEST	60516	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:44.871962070 CEST	53	60516	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:45.364443064 CEST	51649	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:45.381457090 CEST	53	51649	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:45.582349062 CEST	65086	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:45.617382050 CEST	53	65086	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:46.038453102 CEST	56432	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:46.054632902 CEST	53	56432	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:46.972182989 CEST	52929	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:46.989518881 CEST	53	52929	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:47.241627932 CEST	64317	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:47.256998062 CEST	53	64317	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:47.907243013 CEST	61004	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:47.922362089 CEST	53	61004	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:48.619767904 CEST	56895	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:48.634594917 CEST	53	56895	8.8.8.8	192.168.2.5
Sep 29, 2021 01:53:51.036287069 CEST	62372	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:53:51.052166939 CEST	53	62372	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:00.689531088 CEST	61515	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:00.702735901 CEST	53	61515	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:20.008591890 CEST	56675	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:20.024954081 CEST	53	56675	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:21.379786015 CEST	57172	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:21.392865896 CEST	53	57172	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:36.249819994 CEST	55267	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:36.305263042 CEST	53	55267	8.8.8.8	192.168.2.5
Sep 29, 2021 01:54:48.572086096 CEST	50969	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:54:48.586525917 CEST	53	50969	8.8.8.8	192.168.2.5
Sep 29, 2021 01:55:24.888780117 CEST	64362	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:55:24.904237986 CEST	53	64362	8.8.8.8	192.168.2.5
Sep 29, 2021 01:55:26.079010010 CEST	54766	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:55:26.094386101 CEST	53	54766	8.8.8.8	192.168.2.5
Sep 29, 2021 01:56:35.288681030 CEST	61446	53	192.168.2.5	8.8.8.8
Sep 29, 2021 01:56:35.305129051 CEST	53	61446	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 7096 Parent PID: 5844

General

Start time:	01:52:38
Start date:	29/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll'
Imagebase:	0x7ff77a010000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.254502525.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exe PID: 3192 Parent PID: 7096

General

Start time:	01:52:38
Start date:	29/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Imagebase:	0x7ff7eef80000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6408 Parent PID: 7096

General

Start time:	01:52:39
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameA
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.327777249.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6396 Parent PID: 3192

General

Start time:	01:52:39
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\A1ogRC4R34.dll',#1
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.234114370.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: explorer.exe PID: 3472 Parent PID: 6408

General

Start time:	01:52:40
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6492 Parent PID: 7096

General

Start time:	01:52:42
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,LogonIdFromWinStationNameW
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.241053387.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 3684 Parent PID: 7096

General

Start time:	01:52:45
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\A1ogRC4R34.dll,RemoteAssistancePrepareSystemRestore
Imagebase:	0x7ff608cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.248393203.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: rdpinit.exe PID: 6372 Parent PID: 3472

General

Start time:	01:53:25
Start date:	29/09/2021
Path:	C:\Windows\System32\rdpinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rdpinit.exe
Imagebase:	0x7ff642f20000
File size:	327168 bytes
MD5 hash:	EF7C9CF6EA5B8B9C5C8320990714C35D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rdpinit.exe PID: 5620 Parent PID: 3472

General

Start time:	01:53:27
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\fID\rdpinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\fID\rdpinit.exe
Imagebase:	0x7ff785a80000
File size:	327168 bytes
MD5 hash:	EF7C9CF6EA5B8B9C5C8320990714C35D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.356788011.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Analysis Process: DmNotificationBroker.exe PID: 4592 Parent PID: 3472

General

Start time:	01:53:38
Start date:	29/09/2021
Path:	C:\Windows\System32\DmNotificationBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DmNotificationBroker.exe
Imagebase:	0x7ff619e90000
File size:	32256 bytes
MD5 hash:	1643D5735213BC89C0012F0E48253765
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: DmNotificationBroker.exe PID: 5212 Parent PID: 3472

General

Start time:	01:53:42
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\uBsjD\DmNotificationBroker.exe
Imagebase:	0x7ff69e090000
File size:	32256 bytes
MD5 hash:	1643D5735213BC89C0012F0E48253765
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.390772898.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report A1ogRC4R34

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Exploits:

Compliance:

Spreading:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll64.exe PID: 7096 Parent PID: 5844

General