Windows Analysis Report CiEceGPoOR

Overview

General Information

Sample Name:	CiEceGPoOR (renamed file extension from none to dll)
Analysis ID:	492860
MD5:	2ab698a4e7608708ae2a693966194322
SHA1:	300f4d7d2f462dac7e6ab333d8783bab4f371316
SHA256:	3e814c52ab51985ebaf91bff6baeb9eab08c85529bf09f4a069803a4ee984572
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Contains functionality to prevent local Windows debugging

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Drops files with a non-matching file extension (content does not match file extension)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: CiEceGPoOR.dll	Metadefender: Detection: 57%			Perma Link
Source: CiEceGPoOR.dll	ReversingLabs: Detection: 80%

Antivirus / Scanner detection for submitted sample

Source: CiEceGPoOR.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: CiEceGPoOR.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\igQ\wusa.exe

Code function: 39_2_00007FF778CA8780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,

39_2_00007FF778CA8780

Source: CiEceGPoOR.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdb source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdbGCTL source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	39_2_00007FF778CA8D04

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E332AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC,

24_2_00007FF71E332AE8

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.339185192.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.541829732.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.455241434.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274495775.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.481917685.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424243110.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.514511264.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.369765886.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253536981.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260833878.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.396379510.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.268716589.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA638D0	22_2_00007FF7CAA638D0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA62A9C	22_2_00007FF7CAA62A9C
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA64500	22_2_00007FF7CAA64500
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA62134	22_2_00007FF7CAA62134
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA64D78	22_2_00007FF7CAA64D78
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA63F74	22_2_00007FF7CAA63F74
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36BFB8	24_2_00007FF71E36BFB8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B9FC8	24_2_00007FF71E3B9FC8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D6020	24_2_00007FF71E3D6020
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A003C	24_2_00007FF71E3A003C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A0E0	24_2_00007FF71E36A0E0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E31E0FC	24_2_00007FF71E31E0FC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3720B4	24_2_00007FF71E3720B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36FD30	24_2_00007FF71E36FD30
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E38DE58	24_2_00007FF71E38DE58
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BFE18	24_2_00007FF71E3BFE18
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C5E48	24_2_00007FF71E3C5E48
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D1EA0	24_2_00007FF71E3D1EA0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35BB7C	24_2_00007FF71E35BB7C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E317B78	24_2_00007FF71E317B78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E5BB8	24_2_00007FF71E3E5BB8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E367BC0	24_2_00007FF71E367BC0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E34DC68	24_2_00007FF71E34DC68
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39FC30	24_2_00007FF71E39FC30
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E365CD8	24_2_00007FF71E365CD8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B1D00	24_2_00007FF71E3B1D00
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E325930	24_2_00007FF71E325930
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CD9F4	24_2_00007FF71E3CD9F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3699A0	24_2_00007FF71E3699A0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CBA68	24_2_00007FF71E3CBA68
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B5A78	24_2_00007FF71E3B5A78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D5A90	24_2_00007FF71E3D5A90
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E321AF0	24_2_00007FF71E321AF0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E385AFC	24_2_00007FF71E385AFC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E341A98	24_2_00007FF71E341A98
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D175C	24_2_00007FF71E3D175C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33976C	24_2_00007FF71E33976C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BB78C	24_2_00007FF71E3BB78C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37171C	24_2_00007FF71E37171C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35773C	24_2_00007FF71E35773C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B57D8	24_2_00007FF71E3B57D8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3DD7D0	24_2_00007FF71E3DD7D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39D820	24_2_00007FF71E39D820
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E353910	24_2_00007FF71E353910
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E359590	24_2_00007FF71E359590
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37D5F4	24_2_00007FF71E37D5F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36B610	24_2_00007FF71E36B610
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E31F35C	24_2_00007FF71E31F35C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35731C	24_2_00007FF71E35731C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E351320	24_2_00007FF71E351320
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35D310	24_2_00007FF71E35D310
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C33A0	24_2_00007FF71E3C33A0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39D490	24_2_00007FF71E39D490
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CD4D8	24_2_00007FF71E3CD4D8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E393510	24_2_00007FF71E393510
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C94B4	24_2_00007FF71E3C94B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3654BC	24_2_00007FF71E3654BC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3374B8	24_2_00007FF71E3374B8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39F18C	24_2_00007FF71E39F18C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39B140	24_2_00007FF71E39B140
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E31F0	24_2_00007FF71E3E31F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D11B4	24_2_00007FF71E3D11B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E314E60	24_2_00007FF71E314E60
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37D1C0	24_2_00007FF71E37D1C0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33D2F8	24_2_00007FF71E33D2F8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C52C0	24_2_00007FF71E3C52C0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3232CC	24_2_00007FF71E3232CC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E344F80	24_2_00007FF71E344F80
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E350F54	24_2_00007FF71E350F54
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A7000	24_2_00007FF71E3A7000
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E384FFC	24_2_00007FF71E384FFC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8FA0	24_2_00007FF71E3B8FA0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33D034	24_2_00007FF71E33D034
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37504C	24_2_00007FF71E37504C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3AAD78	24_2_00007FF71E3AAD78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E384D18	24_2_00007FF71E384D18
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39CD50	24_2_00007FF71E39CD50
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E340D50	24_2_00007FF71E340D50
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D0E08	24_2_00007FF71E3D0E08
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B2E28	24_2_00007FF71E3B2E28
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3ACE54	24_2_00007FF71E3ACE54
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32AB3C	24_2_00007FF71E32AB3C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33AB44	24_2_00007FF71E33AB44
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37CBE8	24_2_00007FF71E37CBE8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39AC70	24_2_00007FF71E39AC70
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E366940	24_2_00007FF71E366940
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E358A0C	24_2_00007FF71E358A0C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BA9D0	24_2_00007FF71E3BA9D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E322A84	24_2_00007FF71E322A84
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E364A8C	24_2_00007FF71E364A8C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E354784	24_2_00007FF71E354784
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39C72C	24_2_00007FF71E39C72C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A4810	24_2_00007FF71E3A4810
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A880	24_2_00007FF71E36A880
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8900	24_2_00007FF71E3B8900
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E390570	24_2_00007FF71E390570
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E380544	24_2_00007FF71E380544
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E346690	24_2_00007FF71E346690
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A06B0	24_2_00007FF71E3A06B0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35C6D0	24_2_00007FF71E35C6D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8318	24_2_00007FF71E3B8318
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39C330	24_2_00007FF71E39C330
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A2330	24_2_00007FF71E3A2330
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A340	24_2_00007FF71E36A340
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3AC3F0	24_2_00007FF71E3AC3F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32A3F0	24_2_00007FF71E32A3F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3663C8	24_2_00007FF71E3663C8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3DC464	24_2_00007FF71E3DC464
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A6428	24_2_00007FF71E3A6428
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3184E8	24_2_00007FF71E3184E8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32C4F4	24_2_00007FF71E32C4F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E38E510	24_2_00007FF71E38E510
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E352498	24_2_00007FF71E352498
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E368180	24_2_00007FF71E368180
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D011C	24_2_00007FF71E3D011C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33A1BC	24_2_00007FF71E33A1BC
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D032B8	28_2_00007FF755D032B8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EA450	37_2_00007FF7A34EA450
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347E444	37_2_00007FF7A347E444
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34654E0	37_2_00007FF7A34654E0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3498500	37_2_00007FF7A3498500
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34704AC	37_2_00007FF7A34704AC
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B0498	37_2_00007FF7A34B0498
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34964D0	37_2_00007FF7A34964D0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CC278	37_2_00007FF7A34CC278
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B6158	37_2_00007FF7A34B6158
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B115E	37_2_00007FF7A34B115E
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AB12C	37_2_00007FF7A34AB12C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34FE834	37_2_00007FF7A34FE834
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A96D8	37_2_00007FF7A34A96D8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CD6FC	37_2_00007FF7A34CD6FC
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347858C	37_2_00007FF7A347858C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3497580	37_2_00007FF7A3497580
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347CC30	37_2_00007FF7A347CC30
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EACE8	37_2_00007FF7A34EACE8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34FDBA4	37_2_00007FF7A34FDBA4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AA974	37_2_00007FF7A34AA974
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A29F4	37_2_00007FF7A34A29F4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34F29E0	37_2_00007FF7A34F29E0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A346E0F4	37_2_00007FF7A346E0F4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EA014	37_2_00007FF7A34EA014
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CEE7C	37_2_00007FF7A34CEE7C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A1E34	37_2_00007FF7A34A1E34
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3508F04	37_2_00007FF7A3508F04
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3484EF0	37_2_00007FF7A3484EF0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347BEE4	37_2_00007FF7A347BEE4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA3D88	39_2_00007FF778CA3D88
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA5EA4	39_2_00007FF778CA5EA4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CAA0FC	39_2_00007FF778CAA0FC
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA23F0	39_2_00007FF778CA23F0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA356C	39_2_00007FF778CA356C
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8780	39_2_00007FF778CA8780
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA9910	39_2_00007FF778CA9910

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: String function: 00007FF71E313240 appears 42 times
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: String function: 00007FF778CA9520 appears 162 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A3463F1C appears 39 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A3465BC4 appears 55 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A34A5CE8 appears 64 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A34659E0 appears 153 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A34693A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,

37_2_00007FF7A34693A8

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D03D00 NtQuerySystemInformation,	28_2_00007FF755D03D00

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A34E6CB0: DeviceIoControl,??_V@YAXPEAX@Z,CloseHandle,

37_2_00007FF7A34E6CB0

PE file contains strange resources

Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: capabilityaccessmanagerclient.dll

Jump to behavior

PE file contains more sections than normal

Source: SYSDM.CPL0.4.dr	Static PE information: Number of sections : 55 > 10
Source: dwmapi.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WTSAPI32.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: SYSDM.CPL.4.dr	Static PE information: Number of sections : 55 > 10
Source: WINMM.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WINMM.dll0.4.dr	Static PE information: Number of sections : 55 > 10
Source: CiEceGPoOR.dll	Static PE information: Number of sections : 54 > 10
Source: WINBRAND.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: OLEACC.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WTSAPI32.dll0.4.dr	Static PE information: Number of sections : 55 > 10

Source: CiEceGPoOR.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINBRAND.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: CiEceGPoOR.dll	Metadefender: Detection: 57%
Source: CiEceGPoOR.dll	ReversingLabs: Detection: 80%

Source: CiEceGPoOR.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe C:\Users\user\AppData\Local\f49B\BdeUISrv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe C:\Users\user\AppData\Local\WMp\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\LockScreenContentServer.exe C:\Windows\system32\LockScreenContentServer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vbVu\mspaint.exe C:\Users\user\AppData\Local\vbVu\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesRemote.exe C:\Windows\system32\SystemPropertiesRemote.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\igQ\wusa.exe C:\Users\user\AppData\Local\igQ\wusa.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\LockScreenContentServer.exe C:\Windows\system32\LockScreenContentServer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vbVu\mspaint.exe C:\Users\user\AppData\Local\vbVu\mspaint.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesRemote.exe C:\Windows\system32\SystemPropertiesRemote.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\igQ\wusa.exe C:\Users\user\AppData\Local\igQ\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,		37_2_00007FF7A347943C
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,		39_2_00007FF778CA5438

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@46/21@0/0

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA638D0 CoCreateInstance,StringFromGUID2,wcscpy_s,wcscat_s,wcscat_s,RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,wcscpy_s,wcscat_s,wcscat_s,RegOpenKeyExW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegCloseKey,

22_2_00007FF7CAA638D0

Source: C:\Users\user\AppData\Local\igQ\wusa.exe

Code function: 39_2_00007FF778CA4B60 GetModuleHandleW,FormatMessageW,GetLastError,wcsrchr,LocalFree,LocalFree,

39_2_00007FF778CA4B60

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A346345C StartServiceCtrlDispatcherW,GetLastError,

37_2_00007FF7A346345C

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle,

22_2_00007FF7CAA664A0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1

Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22cd3e45-146f-fcc4-dc5d-c827df9e75ca}
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{eb13c18f-689f-7d9c-75b5-4d52e3a5dfd4}

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA61DA4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,

22_2_00007FF7CAA61DA4

Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box

Source: CiEceGPoOR.dll

Static PE information: More than 4320 > 100 exports found

Source: CiEceGPoOR.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: CiEceGPoOR.dll

Static file information: File size 2252800 > 1048576

Source: CiEceGPoOR.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdb source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdbGCTL source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140056A4D push rdi; ret	0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A84C0 push rsp; retf	37_2_00007FF7A34A84C1
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AFF70 pushfq ; retf	37_2_00007FF7A34AFF71
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB1964 push rbx; iretd	39_2_00007FF778CB1965
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB15F8 push rbx; retf	39_2_00007FF778CB15F9

PE file contains sections with non-standard names

Source: CiEceGPoOR.dll	Static PE information: section name: .qkm
Source: CiEceGPoOR.dll	Static PE information: section name: .cvjb
Source: CiEceGPoOR.dll	Static PE information: section name: .tlmkv
Source: CiEceGPoOR.dll	Static PE information: section name: .wucsxe
Source: CiEceGPoOR.dll	Static PE information: section name: .fltwtj
Source: CiEceGPoOR.dll	Static PE information: section name: .sfplio
Source: CiEceGPoOR.dll	Static PE information: section name: .rpg
Source: CiEceGPoOR.dll	Static PE information: section name: .bewzc
Source: CiEceGPoOR.dll	Static PE information: section name: .vksvaw
Source: CiEceGPoOR.dll	Static PE information: section name: .wmhg
Source: CiEceGPoOR.dll	Static PE information: section name: .kswemc
Source: CiEceGPoOR.dll	Static PE information: section name: .kaxfk
Source: CiEceGPoOR.dll	Static PE information: section name: .pjf
Source: CiEceGPoOR.dll	Static PE information: section name: .retjqj
Source: CiEceGPoOR.dll	Static PE information: section name: .mizn
Source: CiEceGPoOR.dll	Static PE information: section name: .rsrub
Source: CiEceGPoOR.dll	Static PE information: section name: .susbqq
Source: CiEceGPoOR.dll	Static PE information: section name: .jeojcw
Source: CiEceGPoOR.dll	Static PE information: section name: .vwl
Source: CiEceGPoOR.dll	Static PE information: section name: .mub
Source: CiEceGPoOR.dll	Static PE information: section name: .xwxpmb
Source: CiEceGPoOR.dll	Static PE information: section name: .aea
Source: CiEceGPoOR.dll	Static PE information: section name: .lwpch
Source: CiEceGPoOR.dll	Static PE information: section name: .nzgp
Source: CiEceGPoOR.dll	Static PE information: section name: .qimx
Source: CiEceGPoOR.dll	Static PE information: section name: .jbqbr
Source: CiEceGPoOR.dll	Static PE information: section name: .kxxxil
Source: CiEceGPoOR.dll	Static PE information: section name: .drpaa
Source: CiEceGPoOR.dll	Static PE information: section name: .lepjc
Source: CiEceGPoOR.dll	Static PE information: section name: .txam
Source: CiEceGPoOR.dll	Static PE information: section name: .vqjcpr
Source: CiEceGPoOR.dll	Static PE information: section name: .vvwma
Source: CiEceGPoOR.dll	Static PE information: section name: .pinm
Source: CiEceGPoOR.dll	Static PE information: section name: .eowj
Source: CiEceGPoOR.dll	Static PE information: section name: .dzlhaa
Source: CiEceGPoOR.dll	Static PE information: section name: .ncnf
Source: CiEceGPoOR.dll	Static PE information: section name: .vqes
Source: CiEceGPoOR.dll	Static PE information: section name: .rtu
Source: CiEceGPoOR.dll	Static PE information: section name: .qlvquw
Source: CiEceGPoOR.dll	Static PE information: section name: .nzjn
Source: CiEceGPoOR.dll	Static PE information: section name: .dfwg
Source: CiEceGPoOR.dll	Static PE information: section name: .zypdk
Source: CiEceGPoOR.dll	Static PE information: section name: .ufvfoh
Source: CiEceGPoOR.dll	Static PE information: section name: .efst
Source: CiEceGPoOR.dll	Static PE information: section name: .dfk
Source: CiEceGPoOR.dll	Static PE information: section name: .mxubr
Source: CiEceGPoOR.dll	Static PE information: section name: .zqcgin
Source: CiEceGPoOR.dll	Static PE information: section name: .cxkr
Source: WMPDMC.exe.4.dr	Static PE information: section name: .didat
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .retjqj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mizn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rsrub
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .susbqq
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .jeojcw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vwl
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mub
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .aea
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lwpch
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nzgp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qimx
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .jbqbr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kxxxil
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .drpaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lepjc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .txam
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vvwma
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pinm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .eowj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ncnf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqes
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rtu
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qlvquw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nzjn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dfwg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zypdk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .efst
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mxubr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zqcgin
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cxkr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sroevg
Source: OLEACC.dll.4.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.4.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.4.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.4.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.4.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.4.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.4.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.4.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.4.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.4.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.4.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.4.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .pjf
Source: OLEACC.dll.4.dr	Static PE information: section name: .retjqj
Source: OLEACC.dll.4.dr	Static PE information: section name: .mizn
Source: OLEACC.dll.4.dr	Static PE information: section name: .rsrub
Source: OLEACC.dll.4.dr	Static PE information: section name: .susbqq
Source: OLEACC.dll.4.dr	Static PE information: section name: .jeojcw
Source: OLEACC.dll.4.dr	Static PE information: section name: .vwl
Source: OLEACC.dll.4.dr	Static PE information: section name: .mub
Source: OLEACC.dll.4.dr	Static PE information: section name: .xwxpmb
Source: OLEACC.dll.4.dr	Static PE information: section name: .aea
Source: OLEACC.dll.4.dr	Static PE information: section name: .lwpch
Source: OLEACC.dll.4.dr	Static PE information: section name: .nzgp
Source: OLEACC.dll.4.dr	Static PE information: section name: .qimx
Source: OLEACC.dll.4.dr	Static PE information: section name: .jbqbr
Source: OLEACC.dll.4.dr	Static PE information: section name: .kxxxil
Source: OLEACC.dll.4.dr	Static PE information: section name: .drpaa
Source: OLEACC.dll.4.dr	Static PE information: section name: .lepjc
Source: OLEACC.dll.4.dr	Static PE information: section name: .txam
Source: OLEACC.dll.4.dr	Static PE information: section name: .vqjcpr
Source: OLEACC.dll.4.dr	Static PE information: section name: .vvwma
Source: OLEACC.dll.4.dr	Static PE information: section name: .pinm
Source: OLEACC.dll.4.dr	Static PE information: section name: .eowj
Source: OLEACC.dll.4.dr	Static PE information: section name: .dzlhaa
Source: OLEACC.dll.4.dr	Static PE information: section name: .ncnf
Source: OLEACC.dll.4.dr	Static PE information: section name: .vqes
Source: OLEACC.dll.4.dr	Static PE information: section name: .rtu
Source: OLEACC.dll.4.dr	Static PE information: section name: .qlvquw
Source: OLEACC.dll.4.dr	Static PE information: section name: .nzjn
Source: OLEACC.dll.4.dr	Static PE information: section name: .dfwg
Source: OLEACC.dll.4.dr	Static PE information: section name: .zypdk
Source: OLEACC.dll.4.dr	Static PE information: section name: .ufvfoh
Source: OLEACC.dll.4.dr	Static PE information: section name: .efst
Source: OLEACC.dll.4.dr	Static PE information: section name: .dfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .mxubr
Source: OLEACC.dll.4.dr	Static PE information: section name: .zqcgin
Source: OLEACC.dll.4.dr	Static PE information: section name: .cxkr
Source: OLEACC.dll.4.dr	Static PE information: section name: .wvwopb
Source: dwmapi.dll.4.dr	Static PE information: section name: .qkm
Source: dwmapi.dll.4.dr	Static PE information: section name: .cvjb
Source: dwmapi.dll.4.dr	Static PE information: section name: .tlmkv
Source: dwmapi.dll.4.dr	Static PE information: section name: .wucsxe
Source: dwmapi.dll.4.dr	Static PE information: section name: .fltwtj
Source: dwmapi.dll.4.dr	Static PE information: section name: .sfplio
Source: dwmapi.dll.4.dr	Static PE information: section name: .rpg
Source: dwmapi.dll.4.dr	Static PE information: section name: .bewzc
Source: dwmapi.dll.4.dr	Static PE information: section name: .vksvaw
Source: dwmapi.dll.4.dr	Static PE information: section name: .wmhg
Source: dwmapi.dll.4.dr	Static PE information: section name: .kswemc
Source: dwmapi.dll.4.dr	Static PE information: section name: .kaxfk
Source: dwmapi.dll.4.dr	Static PE information: section name: .pjf
Source: dwmapi.dll.4.dr	Static PE information: section name: .retjqj
Source: dwmapi.dll.4.dr	Static PE information: section name: .mizn
Source: dwmapi.dll.4.dr	Static PE information: section name: .rsrub
Source: dwmapi.dll.4.dr	Static PE information: section name: .susbqq
Source: dwmapi.dll.4.dr	Static PE information: section name: .jeojcw
Source: dwmapi.dll.4.dr	Static PE information: section name: .vwl
Source: dwmapi.dll.4.dr	Static PE information: section name: .mub
Source: dwmapi.dll.4.dr	Static PE information: section name: .xwxpmb
Source: dwmapi.dll.4.dr	Static PE information: section name: .aea
Source: dwmapi.dll.4.dr	Static PE information: section name: .lwpch
Source: dwmapi.dll.4.dr	Static PE information: section name: .nzgp
Source: dwmapi.dll.4.dr	Static PE information: section name: .qimx
Source: dwmapi.dll.4.dr	Static PE information: section name: .jbqbr
Source: dwmapi.dll.4.dr	Static PE information: section name: .kxxxil
Source: dwmapi.dll.4.dr	Static PE information: section name: .drpaa
Source: dwmapi.dll.4.dr	Static PE information: section name: .lepjc
Source: dwmapi.dll.4.dr	Static PE information: section name: .txam
Source: dwmapi.dll.4.dr	Static PE information: section name: .vqjcpr
Source: dwmapi.dll.4.dr	Static PE information: section name: .vvwma
Source: dwmapi.dll.4.dr	Static PE information: section name: .pinm
Source: dwmapi.dll.4.dr	Static PE information: section name: .eowj
Source: dwmapi.dll.4.dr	Static PE information: section name: .dzlhaa
Source: dwmapi.dll.4.dr	Static PE information: section name: .ncnf
Source: dwmapi.dll.4.dr	Static PE information: section name: .vqes
Source: dwmapi.dll.4.dr	Static PE information: section name: .rtu
Source: dwmapi.dll.4.dr	Static PE information: section name: .qlvquw
Source: dwmapi.dll.4.dr	Static PE information: section name: .nzjn
Source: dwmapi.dll.4.dr	Static PE information: section name: .dfwg
Source: dwmapi.dll.4.dr	Static PE information: section name: .zypdk
Source: dwmapi.dll.4.dr	Static PE information: section name: .ufvfoh
Source: dwmapi.dll.4.dr	Static PE information: section name: .efst
Source: dwmapi.dll.4.dr	Static PE information: section name: .dfk
Source: dwmapi.dll.4.dr	Static PE information: section name: .mxubr
Source: dwmapi.dll.4.dr	Static PE information: section name: .zqcgin
Source: dwmapi.dll.4.dr	Static PE information: section name: .cxkr
Source: dwmapi.dll.4.dr	Static PE information: section name: .cadzn
Source: WINMM.dll.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll.4.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.4.dr	Static PE information: section name: .mizn
Source: WINMM.dll.4.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.4.dr	Static PE information: section name: .susbqq
Source: WINMM.dll.4.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll.4.dr	Static PE information: section name: .vwl
Source: WINMM.dll.4.dr	Static PE information: section name: .mub
Source: WINMM.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll.4.dr	Static PE information: section name: .aea
Source: WINMM.dll.4.dr	Static PE information: section name: .lwpch
Source: WINMM.dll.4.dr	Static PE information: section name: .nzgp
Source: WINMM.dll.4.dr	Static PE information: section name: .qimx
Source: WINMM.dll.4.dr	Static PE information: section name: .jbqbr
Source: WINMM.dll.4.dr	Static PE information: section name: .kxxxil
Source: WINMM.dll.4.dr	Static PE information: section name: .drpaa
Source: WINMM.dll.4.dr	Static PE information: section name: .lepjc
Source: WINMM.dll.4.dr	Static PE information: section name: .txam
Source: WINMM.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WINMM.dll.4.dr	Static PE information: section name: .vvwma
Source: WINMM.dll.4.dr	Static PE information: section name: .pinm
Source: WINMM.dll.4.dr	Static PE information: section name: .eowj
Source: WINMM.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WINMM.dll.4.dr	Static PE information: section name: .ncnf
Source: WINMM.dll.4.dr	Static PE information: section name: .vqes
Source: WINMM.dll.4.dr	Static PE information: section name: .rtu
Source: WINMM.dll.4.dr	Static PE information: section name: .qlvquw
Source: WINMM.dll.4.dr	Static PE information: section name: .nzjn
Source: WINMM.dll.4.dr	Static PE information: section name: .dfwg
Source: WINMM.dll.4.dr	Static PE information: section name: .zypdk
Source: WINMM.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WINMM.dll.4.dr	Static PE information: section name: .efst
Source: WINMM.dll.4.dr	Static PE information: section name: .dfk
Source: WINMM.dll.4.dr	Static PE information: section name: .mxubr
Source: WINMM.dll.4.dr	Static PE information: section name: .zqcgin
Source: WINMM.dll.4.dr	Static PE information: section name: .cxkr
Source: WINMM.dll.4.dr	Static PE information: section name: .olw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.4.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.4.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.4.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.4.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.4.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.4.dr	Static PE information: section name: .susbqq
Source: SYSDM.CPL.4.dr	Static PE information: section name: .jeojcw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vwl
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mub
Source: SYSDM.CPL.4.dr	Static PE information: section name: .xwxpmb
Source: SYSDM.CPL.4.dr	Static PE information: section name: .aea
Source: SYSDM.CPL.4.dr	Static PE information: section name: .lwpch
Source: SYSDM.CPL.4.dr	Static PE information: section name: .nzgp
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qimx
Source: SYSDM.CPL.4.dr	Static PE information: section name: .jbqbr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kxxxil
Source: SYSDM.CPL.4.dr	Static PE information: section name: .drpaa
Source: SYSDM.CPL.4.dr	Static PE information: section name: .lepjc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .txam
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vqjcpr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vvwma
Source: SYSDM.CPL.4.dr	Static PE information: section name: .pinm
Source: SYSDM.CPL.4.dr	Static PE information: section name: .eowj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dzlhaa
Source: SYSDM.CPL.4.dr	Static PE information: section name: .ncnf
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vqes
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rtu
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qlvquw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .nzjn
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dfwg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .zypdk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .ufvfoh
Source: SYSDM.CPL.4.dr	Static PE information: section name: .efst
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dfk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mxubr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .zqcgin
Source: SYSDM.CPL.4.dr	Static PE information: section name: .cxkr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .hcxgmp
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.4.dr	Static PE information: section name: .mizn
Source: VERSION.dll.4.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.4.dr	Static PE information: section name: .susbqq
Source: VERSION.dll.4.dr	Static PE information: section name: .jeojcw
Source: VERSION.dll.4.dr	Static PE information: section name: .vwl
Source: VERSION.dll.4.dr	Static PE information: section name: .mub
Source: VERSION.dll.4.dr	Static PE information: section name: .xwxpmb
Source: VERSION.dll.4.dr	Static PE information: section name: .aea
Source: VERSION.dll.4.dr	Static PE information: section name: .lwpch
Source: VERSION.dll.4.dr	Static PE information: section name: .nzgp
Source: VERSION.dll.4.dr	Static PE information: section name: .qimx
Source: VERSION.dll.4.dr	Static PE information: section name: .jbqbr
Source: VERSION.dll.4.dr	Static PE information: section name: .kxxxil
Source: VERSION.dll.4.dr	Static PE information: section name: .drpaa
Source: VERSION.dll.4.dr	Static PE information: section name: .lepjc
Source: VERSION.dll.4.dr	Static PE information: section name: .txam
Source: VERSION.dll.4.dr	Static PE information: section name: .vqjcpr
Source: VERSION.dll.4.dr	Static PE information: section name: .vvwma
Source: VERSION.dll.4.dr	Static PE information: section name: .pinm
Source: VERSION.dll.4.dr	Static PE information: section name: .eowj
Source: VERSION.dll.4.dr	Static PE information: section name: .dzlhaa
Source: VERSION.dll.4.dr	Static PE information: section name: .ncnf
Source: VERSION.dll.4.dr	Static PE information: section name: .vqes
Source: VERSION.dll.4.dr	Static PE information: section name: .rtu
Source: VERSION.dll.4.dr	Static PE information: section name: .qlvquw
Source: VERSION.dll.4.dr	Static PE information: section name: .nzjn
Source: VERSION.dll.4.dr	Static PE information: section name: .dfwg
Source: VERSION.dll.4.dr	Static PE information: section name: .zypdk
Source: VERSION.dll.4.dr	Static PE information: section name: .ufvfoh
Source: VERSION.dll.4.dr	Static PE information: section name: .efst
Source: VERSION.dll.4.dr	Static PE information: section name: .dfk
Source: VERSION.dll.4.dr	Static PE information: section name: .mxubr
Source: VERSION.dll.4.dr	Static PE information: section name: .zqcgin
Source: VERSION.dll.4.dr	Static PE information: section name: .cxkr
Source: VERSION.dll.4.dr	Static PE information: section name: .whiws
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .retjqj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mizn
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rsrub
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .susbqq
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .jeojcw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vwl
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mub
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .xwxpmb
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .aea
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lwpch
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .nzgp
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qimx
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .jbqbr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kxxxil
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .drpaa
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lepjc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .txam
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vqjcpr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vvwma
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .pinm
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .eowj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dzlhaa
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .ncnf
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vqes
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rtu
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qlvquw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .nzjn
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dfwg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .zypdk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .ufvfoh
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .efst
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dfk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mxubr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .zqcgin
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .cxkr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lde
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qkm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cvjb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .sfplio
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rpg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bewzc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wmhg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kswemc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pjf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .retjqj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mizn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rsrub
Source: WINBRAND.dll.4.dr	Static PE information: section name: .susbqq
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jeojcw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vwl
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mub
Source: WINBRAND.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .aea
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lwpch
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzgp
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qimx
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jbqbr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kxxxil
Source: WINBRAND.dll.4.dr	Static PE information: section name: .drpaa
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lepjc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .txam
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vvwma
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pinm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .eowj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ncnf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vqes
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rtu
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qlvquw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzjn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dfwg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .zypdk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WINBRAND.dll.4.dr	Static PE information: section name: .efst
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mxubr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .zqcgin
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cxkr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .uuah
Source: WINMM.dll0.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll0.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll0.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll0.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll0.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll0.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll0.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll0.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll0.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll0.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll0.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll0.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll0.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll0.4.dr	Static PE information: section name: .retjqj
Source: WINMM.dll0.4.dr	Static PE information: section name: .mizn
Source: WINMM.dll0.4.dr	Static PE information: section name: .rsrub
Source: WINMM.dll0.4.dr	Static PE information: section name: .susbqq
Source: WINMM.dll0.4.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll0.4.dr	Static PE information: section name: .vwl
Source: WINMM.dll0.4.dr	Static PE information: section name: .mub
Source: WINMM.dll0.4.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll0.4.dr	Static PE information: section name: .aea
Source: WINMM.dll0.4.dr	Static PE information: section name: .lwpch
Source: WINMM.dll0.4.dr	Static PE information: section name: .nzgp
Source: WINMM.dll0.4.dr	Static PE information: section name: .qimx
Source: WINMM.dll0.4.dr	Static PE information: section name: .jbqbr
Source: WINMM.dll0.4.dr	Static PE information: section name: .kxxxil
Source: WINMM.dll0.4.dr	Static PE information: section name: .drpaa
Source: WINMM.dll0.4.dr	Static PE information: section name: .lepjc
Source: WINMM.dll0.4.dr	Static PE information: section name: .txam
Source: WINMM.dll0.4.dr	Static PE information: section name: .vqjcpr
Source: WINMM.dll0.4.dr	Static PE information: section name: .vvwma
Source: WINMM.dll0.4.dr	Static PE information: section name: .pinm
Source: WINMM.dll0.4.dr	Static PE information: section name: .eowj
Source: WINMM.dll0.4.dr	Static PE information: section name: .dzlhaa
Source: WINMM.dll0.4.dr	Static PE information: section name: .ncnf
Source: WINMM.dll0.4.dr	Static PE information: section name: .vqes
Source: WINMM.dll0.4.dr	Static PE information: section name: .rtu
Source: WINMM.dll0.4.dr	Static PE information: section name: .qlvquw
Source: WINMM.dll0.4.dr	Static PE information: section name: .nzjn
Source: WINMM.dll0.4.dr	Static PE information: section name: .dfwg
Source: WINMM.dll0.4.dr	Static PE information: section name: .zypdk
Source: WINMM.dll0.4.dr	Static PE information: section name: .ufvfoh
Source: WINMM.dll0.4.dr	Static PE information: section name: .efst
Source: WINMM.dll0.4.dr	Static PE information: section name: .dfk
Source: WINMM.dll0.4.dr	Static PE information: section name: .mxubr
Source: WINMM.dll0.4.dr	Static PE information: section name: .zqcgin
Source: WINMM.dll0.4.dr	Static PE information: section name: .cxkr
Source: WINMM.dll0.4.dr	Static PE information: section name: .vsruio
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .wmhg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3360A8 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

24_2_00007FF71E3360A8

PE file contains an invalid checksum

Source: SYSDM.CPL0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x23067a
Source: dwmapi.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230f11
Source: WTSAPI32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22a582
Source: SYSDM.CPL.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x229847
Source: WINMM.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x237ac4
Source: WINMM.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230557
Source: CiEceGPoOR.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x228970
Source: WINBRAND.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22b2ae
Source: OLEACC.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x231317
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x227850
Source: WTSAPI32.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230d7c

Binary contains a suspicious time stamp

Source: SystemPropertiesRemote.exe.4.dr

Static PE information: 0xE6AE4658 [Thu Aug 21 18:15:52 2092 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp

Memory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SYSDM.CPL			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL			Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vbVu\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uHKs6l\Narrator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\qGdjcQqe\pwcreator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\igQ\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\igQ\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SystemPropertiesRemote.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Jump to dropped file

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

22_2_00007FF7CAA664A0

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E337020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow,

24_2_00007FF71E337020

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7056

Thread sleep count: 37 > 30

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\uHKs6l\Narrator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qGdjcQqe\pwcreator.exe	Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A3484EF0 rdtsc

37_2_00007FF7A3484EF0

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	39_2_00007FF778CA8D04

Source: explorer.exe, 00000004.00000000.300074629.000000000891C000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.274286632.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.300074629.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.265450646.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L6
Source: explorer.exe, 00000004.00000000.300613223.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L6
Source: explorer.exe, 00000004.00000000.294639291.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.286980293.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.256038426.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.286980293.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3E97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,

24_2_00007FF71E3E97F0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E336008 OutputDebugStringA,ActivateActCtx,GetLastError,

24_2_00007FF71E336008

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3360A8 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

24_2_00007FF71E3360A8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA64A10 RegisterTraceGuidsW,HeapSetInformation,GetLastError,GetProcessHeap,HeapSetInformation,GetLastError,GetCommandLineW,UnregisterTraceGuids,

22_2_00007FF7CAA64A10

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A3484EF0 rdtsc

37_2_00007FF7A3484EF0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67DA0 SetUnhandledExceptionFilter,	22_2_00007FF7CAA67DA0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF7CAA67984
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3EACE0 SetUnhandledExceptionFilter,	24_2_00007FF71E3EACE0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3EA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF71E3EA9E4
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D045C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF755D045C4
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D04340 SetUnhandledExceptionFilter,	28_2_00007FF755D04340
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Code function: 35_2_00007FF7376B1430 SetUnhandledExceptionFilter,	35_2_00007FF7376B1430
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Code function: 35_2_00007FF7376B16B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00007FF7376B16B4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3510304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_00007FF7A3510304
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB6AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00007FF778CB6AA4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB6830 SetUnhandledExceptionFilter,	39_2_00007FF778CB6830

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: WTSAPI32.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,		24_2_00007FF71E3E97F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E9860 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,		24_2_00007FF71E3E9860

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA64500 ConvertStringSidToSidW,IsValidSid,GetAclInformation,GetLengthSid,malloc,InitializeAcl,GetAclInformation,GetAce,AddAce,AddAccessAllowedAce,free,free,SetSecurityDescriptorDacl,LocalFree,CoInitializeSecurity,GetLastError,LocalFree,free,free,free,free,

22_2_00007FF7CAA64500

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,

22_2_00007FF7CAA672BC

Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.274051236.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: DisableContainerHwnd,DestroyWindow,DeleteObject,GetModuleHandleW,GetClassInfoExW,memset,GetModuleHandleW,LoadCursorW,GetStockObject,DefWindowProcW,RegisterClassExW,GetModuleHandleW,CreateWindowExW,SetWindowLongPtrW,SetWindowLongPtrW,SendMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SetWindowLongPtrW,GetThreadUILanguage,GetUserDefaultUILanguage,GetLocaleInfoW,GetWindowLongPtrW,SetWindowLongPtrW,CreateGadget,GetLastError,SetGadgetMessageFilter,SetGadgetStyle,GetDC,GetDeviceCaps,ReleaseDC,GetDC,CreateHalftonePalette,ReleaseDC,memset,SetGadgetRootInfo,TlsGetValue,

24_2_00007FF71E3699A0

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA67F30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

22_2_00007FF7CAA67F30

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E378F90 GetVersion,LoadLibraryExW,

24_2_00007FF71E378F90

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,	22_2_00007FF7CAA672BC
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA674BE RpcBindingFree,	22_2_00007FF7CAA674BE
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67450 NdrClientCall3,RpcBindingFree,	22_2_00007FF7CAA67450

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: CiEceGPoOR.dll	Metadefender: Detection: 57%			Perma Link
Source: CiEceGPoOR.dll	ReversingLabs: Detection: 80%

Antivirus / Scanner detection for submitted sample

Source: CiEceGPoOR.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: CiEceGPoOR.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\igQ\wusa.exe

39_2_00007FF778CA8780

Source: CiEceGPoOR.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdb source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdbGCTL source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	39_2_00007FF778CA8D04

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

24_2_00007FF71E332AE8

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.339185192.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.541829732.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.455241434.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274495775.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.481917685.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424243110.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.514511264.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.369765886.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253536981.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.260833878.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.396379510.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.268716589.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA638D0	22_2_00007FF7CAA638D0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA62A9C	22_2_00007FF7CAA62A9C
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA64500	22_2_00007FF7CAA64500
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA62134	22_2_00007FF7CAA62134
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA64D78	22_2_00007FF7CAA64D78
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA63F74	22_2_00007FF7CAA63F74
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36BFB8	24_2_00007FF71E36BFB8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B9FC8	24_2_00007FF71E3B9FC8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D6020	24_2_00007FF71E3D6020
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A003C	24_2_00007FF71E3A003C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A0E0	24_2_00007FF71E36A0E0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E31E0FC	24_2_00007FF71E31E0FC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3720B4	24_2_00007FF71E3720B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36FD30	24_2_00007FF71E36FD30
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E38DE58	24_2_00007FF71E38DE58
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BFE18	24_2_00007FF71E3BFE18
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C5E48	24_2_00007FF71E3C5E48
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D1EA0	24_2_00007FF71E3D1EA0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35BB7C	24_2_00007FF71E35BB7C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E317B78	24_2_00007FF71E317B78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E5BB8	24_2_00007FF71E3E5BB8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E367BC0	24_2_00007FF71E367BC0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E34DC68	24_2_00007FF71E34DC68
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39FC30	24_2_00007FF71E39FC30
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E365CD8	24_2_00007FF71E365CD8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B1D00	24_2_00007FF71E3B1D00
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E325930	24_2_00007FF71E325930
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CD9F4	24_2_00007FF71E3CD9F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3699A0	24_2_00007FF71E3699A0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CBA68	24_2_00007FF71E3CBA68
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B5A78	24_2_00007FF71E3B5A78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D5A90	24_2_00007FF71E3D5A90
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E321AF0	24_2_00007FF71E321AF0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E385AFC	24_2_00007FF71E385AFC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E341A98	24_2_00007FF71E341A98
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D175C	24_2_00007FF71E3D175C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33976C	24_2_00007FF71E33976C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BB78C	24_2_00007FF71E3BB78C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37171C	24_2_00007FF71E37171C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35773C	24_2_00007FF71E35773C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B57D8	24_2_00007FF71E3B57D8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3DD7D0	24_2_00007FF71E3DD7D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39D820	24_2_00007FF71E39D820
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E353910	24_2_00007FF71E353910
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E359590	24_2_00007FF71E359590
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37D5F4	24_2_00007FF71E37D5F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36B610	24_2_00007FF71E36B610
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E31F35C	24_2_00007FF71E31F35C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35731C	24_2_00007FF71E35731C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E351320	24_2_00007FF71E351320
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35D310	24_2_00007FF71E35D310
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C33A0	24_2_00007FF71E3C33A0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39D490	24_2_00007FF71E39D490
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3CD4D8	24_2_00007FF71E3CD4D8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E393510	24_2_00007FF71E393510
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C94B4	24_2_00007FF71E3C94B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3654BC	24_2_00007FF71E3654BC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3374B8	24_2_00007FF71E3374B8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39F18C	24_2_00007FF71E39F18C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39B140	24_2_00007FF71E39B140
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E31F0	24_2_00007FF71E3E31F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D11B4	24_2_00007FF71E3D11B4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E314E60	24_2_00007FF71E314E60
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37D1C0	24_2_00007FF71E37D1C0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33D2F8	24_2_00007FF71E33D2F8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3C52C0	24_2_00007FF71E3C52C0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3232CC	24_2_00007FF71E3232CC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E344F80	24_2_00007FF71E344F80
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E350F54	24_2_00007FF71E350F54
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A7000	24_2_00007FF71E3A7000
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E384FFC	24_2_00007FF71E384FFC
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8FA0	24_2_00007FF71E3B8FA0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33D034	24_2_00007FF71E33D034
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37504C	24_2_00007FF71E37504C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3AAD78	24_2_00007FF71E3AAD78
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E384D18	24_2_00007FF71E384D18
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39CD50	24_2_00007FF71E39CD50
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E340D50	24_2_00007FF71E340D50
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D0E08	24_2_00007FF71E3D0E08
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B2E28	24_2_00007FF71E3B2E28
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3ACE54	24_2_00007FF71E3ACE54
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32AB3C	24_2_00007FF71E32AB3C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33AB44	24_2_00007FF71E33AB44
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E37CBE8	24_2_00007FF71E37CBE8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39AC70	24_2_00007FF71E39AC70
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E366940	24_2_00007FF71E366940
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E358A0C	24_2_00007FF71E358A0C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3BA9D0	24_2_00007FF71E3BA9D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E322A84	24_2_00007FF71E322A84
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E364A8C	24_2_00007FF71E364A8C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E354784	24_2_00007FF71E354784
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39C72C	24_2_00007FF71E39C72C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A4810	24_2_00007FF71E3A4810
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A880	24_2_00007FF71E36A880
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8900	24_2_00007FF71E3B8900
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E390570	24_2_00007FF71E390570
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E380544	24_2_00007FF71E380544
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E346690	24_2_00007FF71E346690
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A06B0	24_2_00007FF71E3A06B0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E35C6D0	24_2_00007FF71E35C6D0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3B8318	24_2_00007FF71E3B8318
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E39C330	24_2_00007FF71E39C330
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A2330	24_2_00007FF71E3A2330
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E36A340	24_2_00007FF71E36A340
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3AC3F0	24_2_00007FF71E3AC3F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32A3F0	24_2_00007FF71E32A3F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3663C8	24_2_00007FF71E3663C8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3DC464	24_2_00007FF71E3DC464
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3A6428	24_2_00007FF71E3A6428
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3184E8	24_2_00007FF71E3184E8
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E32C4F4	24_2_00007FF71E32C4F4
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E38E510	24_2_00007FF71E38E510
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E352498	24_2_00007FF71E352498
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E368180	24_2_00007FF71E368180
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3D011C	24_2_00007FF71E3D011C
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E33A1BC	24_2_00007FF71E33A1BC
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D032B8	28_2_00007FF755D032B8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EA450	37_2_00007FF7A34EA450
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347E444	37_2_00007FF7A347E444
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34654E0	37_2_00007FF7A34654E0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3498500	37_2_00007FF7A3498500
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34704AC	37_2_00007FF7A34704AC
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B0498	37_2_00007FF7A34B0498
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34964D0	37_2_00007FF7A34964D0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CC278	37_2_00007FF7A34CC278
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B6158	37_2_00007FF7A34B6158
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34B115E	37_2_00007FF7A34B115E
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AB12C	37_2_00007FF7A34AB12C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34FE834	37_2_00007FF7A34FE834
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A96D8	37_2_00007FF7A34A96D8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CD6FC	37_2_00007FF7A34CD6FC
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347858C	37_2_00007FF7A347858C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3497580	37_2_00007FF7A3497580
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347CC30	37_2_00007FF7A347CC30
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EACE8	37_2_00007FF7A34EACE8
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34FDBA4	37_2_00007FF7A34FDBA4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AA974	37_2_00007FF7A34AA974
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A29F4	37_2_00007FF7A34A29F4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34F29E0	37_2_00007FF7A34F29E0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A346E0F4	37_2_00007FF7A346E0F4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34EA014	37_2_00007FF7A34EA014
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34CEE7C	37_2_00007FF7A34CEE7C
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A1E34	37_2_00007FF7A34A1E34
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3508F04	37_2_00007FF7A3508F04
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3484EF0	37_2_00007FF7A3484EF0
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347BEE4	37_2_00007FF7A347BEE4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA3D88	39_2_00007FF778CA3D88
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA5EA4	39_2_00007FF778CA5EA4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CAA0FC	39_2_00007FF778CAA0FC
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA23F0	39_2_00007FF778CA23F0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA356C	39_2_00007FF778CA356C
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8780	39_2_00007FF778CA8780
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA9910	39_2_00007FF778CA9910

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: String function: 00007FF71E313240 appears 42 times
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: String function: 00007FF778CA9520 appears 162 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A3463F1C appears 39 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A3465BC4 appears 55 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A34A5CE8 appears 64 times
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: String function: 00007FF7A34659E0 appears 153 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

37_2_00007FF7A34693A8

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D03D00 NtQuerySystemInformation,	28_2_00007FF755D03D00

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A34E6CB0: DeviceIoControl,??_V@YAXPEAX@Z,CloseHandle,

37_2_00007FF7A34E6CB0

PE file contains strange resources

Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wusa.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pwcreator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Narrator.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesRemote.exe0.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: capabilityaccessmanagerclient.dll

Jump to behavior

PE file contains more sections than normal

Source: SYSDM.CPL0.4.dr	Static PE information: Number of sections : 55 > 10
Source: dwmapi.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WTSAPI32.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: SYSDM.CPL.4.dr	Static PE information: Number of sections : 55 > 10
Source: WINMM.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WINMM.dll0.4.dr	Static PE information: Number of sections : 55 > 10
Source: CiEceGPoOR.dll	Static PE information: Number of sections : 54 > 10
Source: WINBRAND.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: OLEACC.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 55 > 10
Source: WTSAPI32.dll0.4.dr	Static PE information: Number of sections : 55 > 10

Source: CiEceGPoOR.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINBRAND.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: CiEceGPoOR.dll	Metadefender: Detection: 57%
Source: CiEceGPoOR.dll	ReversingLabs: Detection: 80%

Source: CiEceGPoOR.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe C:\Users\user\AppData\Local\f49B\BdeUISrv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe C:\Users\user\AppData\Local\WMp\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\LockScreenContentServer.exe C:\Windows\system32\LockScreenContentServer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vbVu\mspaint.exe C:\Users\user\AppData\Local\vbVu\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesRemote.exe C:\Windows\system32\SystemPropertiesRemote.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\igQ\wusa.exe C:\Users\user\AppData\Local\igQ\wusa.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CiEceGPoOR.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\LockScreenContentServer.exe C:\Windows\system32\LockScreenContentServer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vbVu\mspaint.exe C:\Users\user\AppData\Local\vbVu\mspaint.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesRemote.exe C:\Windows\system32\SystemPropertiesRemote.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\igQ\wusa.exe C:\Users\user\AppData\Local\igQ\wusa.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A347943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,		37_2_00007FF7A347943C
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,		39_2_00007FF778CA5438

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@46/21@0/0

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

22_2_00007FF7CAA638D0

Source: C:\Users\user\AppData\Local\igQ\wusa.exe

Code function: 39_2_00007FF778CA4B60 GetModuleHandleW,FormatMessageW,GetLastError,wcsrchr,LocalFree,LocalFree,

39_2_00007FF778CA4B60

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A346345C StartServiceCtrlDispatcherW,GetLastError,

37_2_00007FF7A346345C

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

22_2_00007FF7CAA664A0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1

Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22cd3e45-146f-fcc4-dc5d-c827df9e75ca}
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Mutant created: \Sessions\1\BaseNamedObjects\{eb13c18f-689f-7d9c-75b5-4d52e3a5dfd4}

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA61DA4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,EnterCriticalSection,LeaveCriticalSection,

22_2_00007FF7CAA61DA4

Source: wusa.exe	String found in binary or memory: Failed to display update-not-installed message box
Source: wusa.exe	String found in binary or memory: Failed to display update-installed message box

Source: CiEceGPoOR.dll

Static PE information: More than 4320 > 100 exports found

Source: CiEceGPoOR.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: CiEceGPoOR.dll

Static file information: File size 2252800 > 1048576

Source: CiEceGPoOR.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wusa.pdbGCTL source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: wusa.pdb source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000020.00000002.457507049.00007FF67B198000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdb source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: SystemPropertiesRemote.pdbGCTL source: SystemPropertiesRemote.exe, 00000023.00000000.460233798.00007FF7376B2000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000016.00000000.347271013.00007FF7CAA69000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdbGCTL source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe, 00000025.00000002.516817162.00007FF7A3521000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000000.374547106.00007FF71E3ED000.00000002.00020000.sdmp
Source:	Binary string: LockScreenContentServer.pdb source: LockScreenContentServer.exe, 0000001C.00000002.425932053.00007FF755D05000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140056A4D push rdi; ret	0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34A84C0 push rsp; retf	37_2_00007FF7A34A84C1
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A34AFF70 pushfq ; retf	37_2_00007FF7A34AFF71
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB1964 push rbx; iretd	39_2_00007FF778CB1965
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB15F8 push rbx; retf	39_2_00007FF778CB15F9

PE file contains sections with non-standard names

Source: CiEceGPoOR.dll	Static PE information: section name: .qkm
Source: CiEceGPoOR.dll	Static PE information: section name: .cvjb
Source: CiEceGPoOR.dll	Static PE information: section name: .tlmkv
Source: CiEceGPoOR.dll	Static PE information: section name: .wucsxe
Source: CiEceGPoOR.dll	Static PE information: section name: .fltwtj
Source: CiEceGPoOR.dll	Static PE information: section name: .sfplio
Source: CiEceGPoOR.dll	Static PE information: section name: .rpg
Source: CiEceGPoOR.dll	Static PE information: section name: .bewzc
Source: CiEceGPoOR.dll	Static PE information: section name: .vksvaw
Source: CiEceGPoOR.dll	Static PE information: section name: .wmhg
Source: CiEceGPoOR.dll	Static PE information: section name: .kswemc
Source: CiEceGPoOR.dll	Static PE information: section name: .kaxfk
Source: CiEceGPoOR.dll	Static PE information: section name: .pjf
Source: CiEceGPoOR.dll	Static PE information: section name: .retjqj
Source: CiEceGPoOR.dll	Static PE information: section name: .mizn
Source: CiEceGPoOR.dll	Static PE information: section name: .rsrub
Source: CiEceGPoOR.dll	Static PE information: section name: .susbqq
Source: CiEceGPoOR.dll	Static PE information: section name: .jeojcw
Source: CiEceGPoOR.dll	Static PE information: section name: .vwl
Source: CiEceGPoOR.dll	Static PE information: section name: .mub
Source: CiEceGPoOR.dll	Static PE information: section name: .xwxpmb
Source: CiEceGPoOR.dll	Static PE information: section name: .aea
Source: CiEceGPoOR.dll	Static PE information: section name: .lwpch
Source: CiEceGPoOR.dll	Static PE information: section name: .nzgp
Source: CiEceGPoOR.dll	Static PE information: section name: .qimx
Source: CiEceGPoOR.dll	Static PE information: section name: .jbqbr
Source: CiEceGPoOR.dll	Static PE information: section name: .kxxxil
Source: CiEceGPoOR.dll	Static PE information: section name: .drpaa
Source: CiEceGPoOR.dll	Static PE information: section name: .lepjc
Source: CiEceGPoOR.dll	Static PE information: section name: .txam
Source: CiEceGPoOR.dll	Static PE information: section name: .vqjcpr
Source: CiEceGPoOR.dll	Static PE information: section name: .vvwma
Source: CiEceGPoOR.dll	Static PE information: section name: .pinm
Source: CiEceGPoOR.dll	Static PE information: section name: .eowj
Source: CiEceGPoOR.dll	Static PE information: section name: .dzlhaa
Source: CiEceGPoOR.dll	Static PE information: section name: .ncnf
Source: CiEceGPoOR.dll	Static PE information: section name: .vqes
Source: CiEceGPoOR.dll	Static PE information: section name: .rtu
Source: CiEceGPoOR.dll	Static PE information: section name: .qlvquw
Source: CiEceGPoOR.dll	Static PE information: section name: .nzjn
Source: CiEceGPoOR.dll	Static PE information: section name: .dfwg
Source: CiEceGPoOR.dll	Static PE information: section name: .zypdk
Source: CiEceGPoOR.dll	Static PE information: section name: .ufvfoh
Source: CiEceGPoOR.dll	Static PE information: section name: .efst
Source: CiEceGPoOR.dll	Static PE information: section name: .dfk
Source: CiEceGPoOR.dll	Static PE information: section name: .mxubr
Source: CiEceGPoOR.dll	Static PE information: section name: .zqcgin
Source: CiEceGPoOR.dll	Static PE information: section name: .cxkr
Source: WMPDMC.exe.4.dr	Static PE information: section name: .didat
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .retjqj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mizn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rsrub
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .susbqq
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .jeojcw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vwl
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mub
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .aea
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lwpch
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nzgp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qimx
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .jbqbr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kxxxil
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .drpaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lepjc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .txam
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vvwma
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pinm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .eowj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ncnf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vqes
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .rtu
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qlvquw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nzjn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dfwg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zypdk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .efst
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dfk
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mxubr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zqcgin
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cxkr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sroevg
Source: OLEACC.dll.4.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.4.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.4.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.4.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.4.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.4.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.4.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.4.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.4.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.4.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.4.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.4.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .pjf
Source: OLEACC.dll.4.dr	Static PE information: section name: .retjqj
Source: OLEACC.dll.4.dr	Static PE information: section name: .mizn
Source: OLEACC.dll.4.dr	Static PE information: section name: .rsrub
Source: OLEACC.dll.4.dr	Static PE information: section name: .susbqq
Source: OLEACC.dll.4.dr	Static PE information: section name: .jeojcw
Source: OLEACC.dll.4.dr	Static PE information: section name: .vwl
Source: OLEACC.dll.4.dr	Static PE information: section name: .mub
Source: OLEACC.dll.4.dr	Static PE information: section name: .xwxpmb
Source: OLEACC.dll.4.dr	Static PE information: section name: .aea
Source: OLEACC.dll.4.dr	Static PE information: section name: .lwpch
Source: OLEACC.dll.4.dr	Static PE information: section name: .nzgp
Source: OLEACC.dll.4.dr	Static PE information: section name: .qimx
Source: OLEACC.dll.4.dr	Static PE information: section name: .jbqbr
Source: OLEACC.dll.4.dr	Static PE information: section name: .kxxxil
Source: OLEACC.dll.4.dr	Static PE information: section name: .drpaa
Source: OLEACC.dll.4.dr	Static PE information: section name: .lepjc
Source: OLEACC.dll.4.dr	Static PE information: section name: .txam
Source: OLEACC.dll.4.dr	Static PE information: section name: .vqjcpr
Source: OLEACC.dll.4.dr	Static PE information: section name: .vvwma
Source: OLEACC.dll.4.dr	Static PE information: section name: .pinm
Source: OLEACC.dll.4.dr	Static PE information: section name: .eowj
Source: OLEACC.dll.4.dr	Static PE information: section name: .dzlhaa
Source: OLEACC.dll.4.dr	Static PE information: section name: .ncnf
Source: OLEACC.dll.4.dr	Static PE information: section name: .vqes
Source: OLEACC.dll.4.dr	Static PE information: section name: .rtu
Source: OLEACC.dll.4.dr	Static PE information: section name: .qlvquw
Source: OLEACC.dll.4.dr	Static PE information: section name: .nzjn
Source: OLEACC.dll.4.dr	Static PE information: section name: .dfwg
Source: OLEACC.dll.4.dr	Static PE information: section name: .zypdk
Source: OLEACC.dll.4.dr	Static PE information: section name: .ufvfoh
Source: OLEACC.dll.4.dr	Static PE information: section name: .efst
Source: OLEACC.dll.4.dr	Static PE information: section name: .dfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .mxubr
Source: OLEACC.dll.4.dr	Static PE information: section name: .zqcgin
Source: OLEACC.dll.4.dr	Static PE information: section name: .cxkr
Source: OLEACC.dll.4.dr	Static PE information: section name: .wvwopb
Source: dwmapi.dll.4.dr	Static PE information: section name: .qkm
Source: dwmapi.dll.4.dr	Static PE information: section name: .cvjb
Source: dwmapi.dll.4.dr	Static PE information: section name: .tlmkv
Source: dwmapi.dll.4.dr	Static PE information: section name: .wucsxe
Source: dwmapi.dll.4.dr	Static PE information: section name: .fltwtj
Source: dwmapi.dll.4.dr	Static PE information: section name: .sfplio
Source: dwmapi.dll.4.dr	Static PE information: section name: .rpg
Source: dwmapi.dll.4.dr	Static PE information: section name: .bewzc
Source: dwmapi.dll.4.dr	Static PE information: section name: .vksvaw
Source: dwmapi.dll.4.dr	Static PE information: section name: .wmhg
Source: dwmapi.dll.4.dr	Static PE information: section name: .kswemc
Source: dwmapi.dll.4.dr	Static PE information: section name: .kaxfk
Source: dwmapi.dll.4.dr	Static PE information: section name: .pjf
Source: dwmapi.dll.4.dr	Static PE information: section name: .retjqj
Source: dwmapi.dll.4.dr	Static PE information: section name: .mizn
Source: dwmapi.dll.4.dr	Static PE information: section name: .rsrub
Source: dwmapi.dll.4.dr	Static PE information: section name: .susbqq
Source: dwmapi.dll.4.dr	Static PE information: section name: .jeojcw
Source: dwmapi.dll.4.dr	Static PE information: section name: .vwl
Source: dwmapi.dll.4.dr	Static PE information: section name: .mub
Source: dwmapi.dll.4.dr	Static PE information: section name: .xwxpmb
Source: dwmapi.dll.4.dr	Static PE information: section name: .aea
Source: dwmapi.dll.4.dr	Static PE information: section name: .lwpch
Source: dwmapi.dll.4.dr	Static PE information: section name: .nzgp
Source: dwmapi.dll.4.dr	Static PE information: section name: .qimx
Source: dwmapi.dll.4.dr	Static PE information: section name: .jbqbr
Source: dwmapi.dll.4.dr	Static PE information: section name: .kxxxil
Source: dwmapi.dll.4.dr	Static PE information: section name: .drpaa
Source: dwmapi.dll.4.dr	Static PE information: section name: .lepjc
Source: dwmapi.dll.4.dr	Static PE information: section name: .txam
Source: dwmapi.dll.4.dr	Static PE information: section name: .vqjcpr
Source: dwmapi.dll.4.dr	Static PE information: section name: .vvwma
Source: dwmapi.dll.4.dr	Static PE information: section name: .pinm
Source: dwmapi.dll.4.dr	Static PE information: section name: .eowj
Source: dwmapi.dll.4.dr	Static PE information: section name: .dzlhaa
Source: dwmapi.dll.4.dr	Static PE information: section name: .ncnf
Source: dwmapi.dll.4.dr	Static PE information: section name: .vqes
Source: dwmapi.dll.4.dr	Static PE information: section name: .rtu
Source: dwmapi.dll.4.dr	Static PE information: section name: .qlvquw
Source: dwmapi.dll.4.dr	Static PE information: section name: .nzjn
Source: dwmapi.dll.4.dr	Static PE information: section name: .dfwg
Source: dwmapi.dll.4.dr	Static PE information: section name: .zypdk
Source: dwmapi.dll.4.dr	Static PE information: section name: .ufvfoh
Source: dwmapi.dll.4.dr	Static PE information: section name: .efst
Source: dwmapi.dll.4.dr	Static PE information: section name: .dfk
Source: dwmapi.dll.4.dr	Static PE information: section name: .mxubr
Source: dwmapi.dll.4.dr	Static PE information: section name: .zqcgin
Source: dwmapi.dll.4.dr	Static PE information: section name: .cxkr
Source: dwmapi.dll.4.dr	Static PE information: section name: .cadzn
Source: WINMM.dll.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll.4.dr	Static PE information: section name: .retjqj
Source: WINMM.dll.4.dr	Static PE information: section name: .mizn
Source: WINMM.dll.4.dr	Static PE information: section name: .rsrub
Source: WINMM.dll.4.dr	Static PE information: section name: .susbqq
Source: WINMM.dll.4.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll.4.dr	Static PE information: section name: .vwl
Source: WINMM.dll.4.dr	Static PE information: section name: .mub
Source: WINMM.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll.4.dr	Static PE information: section name: .aea
Source: WINMM.dll.4.dr	Static PE information: section name: .lwpch
Source: WINMM.dll.4.dr	Static PE information: section name: .nzgp
Source: WINMM.dll.4.dr	Static PE information: section name: .qimx
Source: WINMM.dll.4.dr	Static PE information: section name: .jbqbr
Source: WINMM.dll.4.dr	Static PE information: section name: .kxxxil
Source: WINMM.dll.4.dr	Static PE information: section name: .drpaa
Source: WINMM.dll.4.dr	Static PE information: section name: .lepjc
Source: WINMM.dll.4.dr	Static PE information: section name: .txam
Source: WINMM.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WINMM.dll.4.dr	Static PE information: section name: .vvwma
Source: WINMM.dll.4.dr	Static PE information: section name: .pinm
Source: WINMM.dll.4.dr	Static PE information: section name: .eowj
Source: WINMM.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WINMM.dll.4.dr	Static PE information: section name: .ncnf
Source: WINMM.dll.4.dr	Static PE information: section name: .vqes
Source: WINMM.dll.4.dr	Static PE information: section name: .rtu
Source: WINMM.dll.4.dr	Static PE information: section name: .qlvquw
Source: WINMM.dll.4.dr	Static PE information: section name: .nzjn
Source: WINMM.dll.4.dr	Static PE information: section name: .dfwg
Source: WINMM.dll.4.dr	Static PE information: section name: .zypdk
Source: WINMM.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WINMM.dll.4.dr	Static PE information: section name: .efst
Source: WINMM.dll.4.dr	Static PE information: section name: .dfk
Source: WINMM.dll.4.dr	Static PE information: section name: .mxubr
Source: WINMM.dll.4.dr	Static PE information: section name: .zqcgin
Source: WINMM.dll.4.dr	Static PE information: section name: .cxkr
Source: WINMM.dll.4.dr	Static PE information: section name: .olw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL.4.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL.4.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL.4.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL.4.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .wmhg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kswemc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kaxfk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .pjf
Source: SYSDM.CPL.4.dr	Static PE information: section name: .retjqj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mizn
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rsrub
Source: SYSDM.CPL.4.dr	Static PE information: section name: .susbqq
Source: SYSDM.CPL.4.dr	Static PE information: section name: .jeojcw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vwl
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mub
Source: SYSDM.CPL.4.dr	Static PE information: section name: .xwxpmb
Source: SYSDM.CPL.4.dr	Static PE information: section name: .aea
Source: SYSDM.CPL.4.dr	Static PE information: section name: .lwpch
Source: SYSDM.CPL.4.dr	Static PE information: section name: .nzgp
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qimx
Source: SYSDM.CPL.4.dr	Static PE information: section name: .jbqbr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .kxxxil
Source: SYSDM.CPL.4.dr	Static PE information: section name: .drpaa
Source: SYSDM.CPL.4.dr	Static PE information: section name: .lepjc
Source: SYSDM.CPL.4.dr	Static PE information: section name: .txam
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vqjcpr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vvwma
Source: SYSDM.CPL.4.dr	Static PE information: section name: .pinm
Source: SYSDM.CPL.4.dr	Static PE information: section name: .eowj
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dzlhaa
Source: SYSDM.CPL.4.dr	Static PE information: section name: .ncnf
Source: SYSDM.CPL.4.dr	Static PE information: section name: .vqes
Source: SYSDM.CPL.4.dr	Static PE information: section name: .rtu
Source: SYSDM.CPL.4.dr	Static PE information: section name: .qlvquw
Source: SYSDM.CPL.4.dr	Static PE information: section name: .nzjn
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dfwg
Source: SYSDM.CPL.4.dr	Static PE information: section name: .zypdk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .ufvfoh
Source: SYSDM.CPL.4.dr	Static PE information: section name: .efst
Source: SYSDM.CPL.4.dr	Static PE information: section name: .dfk
Source: SYSDM.CPL.4.dr	Static PE information: section name: .mxubr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .zqcgin
Source: SYSDM.CPL.4.dr	Static PE information: section name: .cxkr
Source: SYSDM.CPL.4.dr	Static PE information: section name: .hcxgmp
Source: VERSION.dll.4.dr	Static PE information: section name: .qkm
Source: VERSION.dll.4.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.4.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.4.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.4.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.4.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.4.dr	Static PE information: section name: .rpg
Source: VERSION.dll.4.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.4.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.4.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.4.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.4.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.4.dr	Static PE information: section name: .pjf
Source: VERSION.dll.4.dr	Static PE information: section name: .retjqj
Source: VERSION.dll.4.dr	Static PE information: section name: .mizn
Source: VERSION.dll.4.dr	Static PE information: section name: .rsrub
Source: VERSION.dll.4.dr	Static PE information: section name: .susbqq
Source: VERSION.dll.4.dr	Static PE information: section name: .jeojcw
Source: VERSION.dll.4.dr	Static PE information: section name: .vwl
Source: VERSION.dll.4.dr	Static PE information: section name: .mub
Source: VERSION.dll.4.dr	Static PE information: section name: .xwxpmb
Source: VERSION.dll.4.dr	Static PE information: section name: .aea
Source: VERSION.dll.4.dr	Static PE information: section name: .lwpch
Source: VERSION.dll.4.dr	Static PE information: section name: .nzgp
Source: VERSION.dll.4.dr	Static PE information: section name: .qimx
Source: VERSION.dll.4.dr	Static PE information: section name: .jbqbr
Source: VERSION.dll.4.dr	Static PE information: section name: .kxxxil
Source: VERSION.dll.4.dr	Static PE information: section name: .drpaa
Source: VERSION.dll.4.dr	Static PE information: section name: .lepjc
Source: VERSION.dll.4.dr	Static PE information: section name: .txam
Source: VERSION.dll.4.dr	Static PE information: section name: .vqjcpr
Source: VERSION.dll.4.dr	Static PE information: section name: .vvwma
Source: VERSION.dll.4.dr	Static PE information: section name: .pinm
Source: VERSION.dll.4.dr	Static PE information: section name: .eowj
Source: VERSION.dll.4.dr	Static PE information: section name: .dzlhaa
Source: VERSION.dll.4.dr	Static PE information: section name: .ncnf
Source: VERSION.dll.4.dr	Static PE information: section name: .vqes
Source: VERSION.dll.4.dr	Static PE information: section name: .rtu
Source: VERSION.dll.4.dr	Static PE information: section name: .qlvquw
Source: VERSION.dll.4.dr	Static PE information: section name: .nzjn
Source: VERSION.dll.4.dr	Static PE information: section name: .dfwg
Source: VERSION.dll.4.dr	Static PE information: section name: .zypdk
Source: VERSION.dll.4.dr	Static PE information: section name: .ufvfoh
Source: VERSION.dll.4.dr	Static PE information: section name: .efst
Source: VERSION.dll.4.dr	Static PE information: section name: .dfk
Source: VERSION.dll.4.dr	Static PE information: section name: .mxubr
Source: VERSION.dll.4.dr	Static PE information: section name: .zqcgin
Source: VERSION.dll.4.dr	Static PE information: section name: .cxkr
Source: VERSION.dll.4.dr	Static PE information: section name: .whiws
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .pjf
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .retjqj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mizn
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rsrub
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .susbqq
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .jeojcw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vwl
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mub
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .xwxpmb
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .aea
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lwpch
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .nzgp
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qimx
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .jbqbr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .kxxxil
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .drpaa
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lepjc
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .txam
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vqjcpr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vvwma
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .pinm
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .eowj
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dzlhaa
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .ncnf
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .vqes
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .rtu
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .qlvquw
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .nzjn
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dfwg
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .zypdk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .ufvfoh
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .efst
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .dfk
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .mxubr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .zqcgin
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .cxkr
Source: WTSAPI32.dll0.4.dr	Static PE information: section name: .lde
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qkm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cvjb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINBRAND.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .sfplio
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rpg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .bewzc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .wmhg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kswemc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pjf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .retjqj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mizn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rsrub
Source: WINBRAND.dll.4.dr	Static PE information: section name: .susbqq
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jeojcw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vwl
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mub
Source: WINBRAND.dll.4.dr	Static PE information: section name: .xwxpmb
Source: WINBRAND.dll.4.dr	Static PE information: section name: .aea
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lwpch
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzgp
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qimx
Source: WINBRAND.dll.4.dr	Static PE information: section name: .jbqbr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .kxxxil
Source: WINBRAND.dll.4.dr	Static PE information: section name: .drpaa
Source: WINBRAND.dll.4.dr	Static PE information: section name: .lepjc
Source: WINBRAND.dll.4.dr	Static PE information: section name: .txam
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vqjcpr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vvwma
Source: WINBRAND.dll.4.dr	Static PE information: section name: .pinm
Source: WINBRAND.dll.4.dr	Static PE information: section name: .eowj
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dzlhaa
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ncnf
Source: WINBRAND.dll.4.dr	Static PE information: section name: .vqes
Source: WINBRAND.dll.4.dr	Static PE information: section name: .rtu
Source: WINBRAND.dll.4.dr	Static PE information: section name: .qlvquw
Source: WINBRAND.dll.4.dr	Static PE information: section name: .nzjn
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dfwg
Source: WINBRAND.dll.4.dr	Static PE information: section name: .zypdk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .ufvfoh
Source: WINBRAND.dll.4.dr	Static PE information: section name: .efst
Source: WINBRAND.dll.4.dr	Static PE information: section name: .dfk
Source: WINBRAND.dll.4.dr	Static PE information: section name: .mxubr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .zqcgin
Source: WINBRAND.dll.4.dr	Static PE information: section name: .cxkr
Source: WINBRAND.dll.4.dr	Static PE information: section name: .uuah
Source: WINMM.dll0.4.dr	Static PE information: section name: .qkm
Source: WINMM.dll0.4.dr	Static PE information: section name: .cvjb
Source: WINMM.dll0.4.dr	Static PE information: section name: .tlmkv
Source: WINMM.dll0.4.dr	Static PE information: section name: .wucsxe
Source: WINMM.dll0.4.dr	Static PE information: section name: .fltwtj
Source: WINMM.dll0.4.dr	Static PE information: section name: .sfplio
Source: WINMM.dll0.4.dr	Static PE information: section name: .rpg
Source: WINMM.dll0.4.dr	Static PE information: section name: .bewzc
Source: WINMM.dll0.4.dr	Static PE information: section name: .vksvaw
Source: WINMM.dll0.4.dr	Static PE information: section name: .wmhg
Source: WINMM.dll0.4.dr	Static PE information: section name: .kswemc
Source: WINMM.dll0.4.dr	Static PE information: section name: .kaxfk
Source: WINMM.dll0.4.dr	Static PE information: section name: .pjf
Source: WINMM.dll0.4.dr	Static PE information: section name: .retjqj
Source: WINMM.dll0.4.dr	Static PE information: section name: .mizn
Source: WINMM.dll0.4.dr	Static PE information: section name: .rsrub
Source: WINMM.dll0.4.dr	Static PE information: section name: .susbqq
Source: WINMM.dll0.4.dr	Static PE information: section name: .jeojcw
Source: WINMM.dll0.4.dr	Static PE information: section name: .vwl
Source: WINMM.dll0.4.dr	Static PE information: section name: .mub
Source: WINMM.dll0.4.dr	Static PE information: section name: .xwxpmb
Source: WINMM.dll0.4.dr	Static PE information: section name: .aea
Source: WINMM.dll0.4.dr	Static PE information: section name: .lwpch
Source: WINMM.dll0.4.dr	Static PE information: section name: .nzgp
Source: WINMM.dll0.4.dr	Static PE information: section name: .qimx
Source: WINMM.dll0.4.dr	Static PE information: section name: .jbqbr
Source: WINMM.dll0.4.dr	Static PE information: section name: .kxxxil
Source: WINMM.dll0.4.dr	Static PE information: section name: .drpaa
Source: WINMM.dll0.4.dr	Static PE information: section name: .lepjc
Source: WINMM.dll0.4.dr	Static PE information: section name: .txam
Source: WINMM.dll0.4.dr	Static PE information: section name: .vqjcpr
Source: WINMM.dll0.4.dr	Static PE information: section name: .vvwma
Source: WINMM.dll0.4.dr	Static PE information: section name: .pinm
Source: WINMM.dll0.4.dr	Static PE information: section name: .eowj
Source: WINMM.dll0.4.dr	Static PE information: section name: .dzlhaa
Source: WINMM.dll0.4.dr	Static PE information: section name: .ncnf
Source: WINMM.dll0.4.dr	Static PE information: section name: .vqes
Source: WINMM.dll0.4.dr	Static PE information: section name: .rtu
Source: WINMM.dll0.4.dr	Static PE information: section name: .qlvquw
Source: WINMM.dll0.4.dr	Static PE information: section name: .nzjn
Source: WINMM.dll0.4.dr	Static PE information: section name: .dfwg
Source: WINMM.dll0.4.dr	Static PE information: section name: .zypdk
Source: WINMM.dll0.4.dr	Static PE information: section name: .ufvfoh
Source: WINMM.dll0.4.dr	Static PE information: section name: .efst
Source: WINMM.dll0.4.dr	Static PE information: section name: .dfk
Source: WINMM.dll0.4.dr	Static PE information: section name: .mxubr
Source: WINMM.dll0.4.dr	Static PE information: section name: .zqcgin
Source: WINMM.dll0.4.dr	Static PE information: section name: .cxkr
Source: WINMM.dll0.4.dr	Static PE information: section name: .vsruio
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .qkm
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .cvjb
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .tlmkv
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .wucsxe
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .fltwtj
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .sfplio
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .rpg
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .bewzc
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .vksvaw
Source: SYSDM.CPL0.4.dr	Static PE information: section name: .wmhg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3360A8 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

24_2_00007FF71E3360A8

PE file contains an invalid checksum

Source: SYSDM.CPL0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x23067a
Source: dwmapi.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230f11
Source: WTSAPI32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22a582
Source: SYSDM.CPL.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x229847
Source: WINMM.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x237ac4
Source: WINMM.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230557
Source: CiEceGPoOR.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x228970
Source: WINBRAND.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22b2ae
Source: OLEACC.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x231317
Source: VERSION.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x227850
Source: WTSAPI32.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x230d7c

Binary contains a suspicious time stamp

Source: SystemPropertiesRemote.exe.4.dr

Static PE information: 0xE6AE4658 [Thu Aug 21 18:15:52 2092 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Source: wusa.exe, 00000027.00000000.519872524.00007FF778CB7000.00000002.00020000.sdmp

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SYSDM.CPL			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL			Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WMp\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vbVu\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uHKs6l\Narrator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\qGdjcQqe\pwcreator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\igQ\wusa.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\igQ\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pjo7Mc7lI\SYSDM.CPL	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SystemPropertiesRemote.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	Jump to dropped file

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

22_2_00007FF7CAA664A0

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

24_2_00007FF71E337020

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7056

Thread sleep count: 37 > 30

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\uHKs6l\Narrator.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qGdjcQqe\pwcreator.exe	Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A3484EF0 rdtsc

37_2_00007FF7A3484EF0

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3499110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,	37_2_00007FF7A3499110
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,	39_2_00007FF778CA1BC0
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CA8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,	39_2_00007FF778CA8D04

Source: explorer.exe, 00000004.00000000.300074629.000000000891C000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.274286632.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.300074629.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.265450646.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L6
Source: explorer.exe, 00000004.00000000.300613223.0000000008AEA000.00000004.00000001.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L6
Source: explorer.exe, 00000004.00000000.294639291.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.286980293.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.256038426.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.286980293.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3E97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,

24_2_00007FF71E3E97F0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E336008 OutputDebugStringA,ActivateActCtx,GetLastError,

24_2_00007FF71E336008

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E3360A8 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

24_2_00007FF71E3360A8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA64A10 RegisterTraceGuidsW,HeapSetInformation,GetLastError,GetProcessHeap,HeapSetInformation,GetLastError,GetCommandLineW,UnregisterTraceGuids,

22_2_00007FF7CAA64A10

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe

Code function: 37_2_00007FF7A3484EF0 rdtsc

37_2_00007FF7A3484EF0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67DA0 SetUnhandledExceptionFilter,	22_2_00007FF7CAA67DA0
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF7CAA67984
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3EACE0 SetUnhandledExceptionFilter,	24_2_00007FF71E3EACE0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3EA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF71E3EA9E4
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D045C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF755D045C4
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Code function: 28_2_00007FF755D04340 SetUnhandledExceptionFilter,	28_2_00007FF755D04340
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Code function: 35_2_00007FF7376B1430 SetUnhandledExceptionFilter,	35_2_00007FF7376B1430
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Code function: 35_2_00007FF7376B16B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00007FF7376B16B4
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Code function: 37_2_00007FF7A3510304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_00007FF7A3510304
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB6AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00007FF778CB6AA4
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Code function: 39_2_00007FF778CB6830 SetUnhandledExceptionFilter,	39_2_00007FF778CB6830

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: WTSAPI32.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,		24_2_00007FF71E3E97F0
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Code function: 24_2_00007FF71E3E9860 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,		24_2_00007FF71E3E9860

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CiEceGPoOR.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

22_2_00007FF7CAA64500

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,

22_2_00007FF7CAA672BC

Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.274051236.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.307712318.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\vbVu\mspaint.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\igQ\wusa.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

24_2_00007FF71E3699A0

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe

Code function: 22_2_00007FF7CAA67F30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

22_2_00007FF7CAA67F30

Source: C:\Users\user\AppData\Local\WMp\WMPDMC.exe

Code function: 24_2_00007FF71E378F90 GetVersion,LoadLibraryExW,

24_2_00007FF71E378F90

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,	22_2_00007FF7CAA672BC
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA674BE RpcBindingFree,	22_2_00007FF7CAA674BE
Source: C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	Code function: 22_2_00007FF7CAA67450 NdrClientCall3,RpcBindingFree,	22_2_00007FF7CAA67450

ID:	492860
Product:	CloudBasic
Start time:	03:54:34
Start date:	29.09.2021
Sample:	CiEceGPoOR
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2ab698a4e7608708ae2a693966194322
SHA1:	300f4d7d2f462dac7e6ab333d8783bab4f371316
SHA256:	3e814c52ab51985ebaf91bff6baeb9eab08c85529bf09f4a069803a4ee984572
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\DwpdI\SYSDM.CPL	PE32+ executable (DLL) (console) x86-64, for MS Windows	EE703BF34E61D2DC59F997A4B44A85C2	DF19CE64F479AC91DFDAD9914CC2259E6D46BFF9	5FD55D6FFC125DF1D96DD190A7876A085DCF391DA84AD60CCD2F0CEB1A4A52A4
C:\Users\user\AppData\Local\DwpdI\SystemPropertiesRemote.exe	PE32+ executable (GUI) x86-64, for MS Windows	70E55B55A17F1D1C4047CC678EB936F0	1E6EB17BE9961F27280EEF306490A42302495E69	464B613BF38262C4C088068855B557082D1FCA8F697F8C99D77704471069C32B
C:\Users\user\AppData\Local\WMp\OLEACC.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	1B56C69AD8B525F4D3BF6E1AEDF17E6E	F512E6D87B458BC362A7B4EB432BBC55F99603CB	933602A98EC630126C0FF2ECF13001BC8272AF5C780188955A8510404FAEF361
C:\Users\user\AppData\Local\WMp\WMPDMC.exe	PE32+ executable (GUI) x86-64, for MS Windows	4085FDA375E50214142BD740559F5835	22D548F1E0F4832AAEE3D983A156FDABD3021DA4	93F61516B7FD3CE8F1E97F25B760BDF62AE58CC7714B559FEFC2C75AD1130804
C:\Users\user\AppData\Local\Z7wAQ0\AgentService.exe	PE32+ executable (GUI) x86-64, for MS Windows	F7E36C20DB953DFF4FDDB817904C0E48	8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5	2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
C:\Users\user\AppData\Local\Z7wAQ0\VERSION.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	1561A1A689F95195D6D24DADD60ACA89	520410E244597D00A4FE8AACDBE064B3DD370F96	DEAEE22737295F5A0F47F62C91F20CE80614BDBA967FED48C99ADADE428B1406
C:\Users\user\AppData\Local\f49B\BdeUISrv.exe	PE32+ executable (GUI) x86-64, for MS Windows	25D86BC656025F38D6E626B606F1D39D	673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D	202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
C:\Users\user\AppData\Local\f49B\WTSAPI32.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2E52AF8975EFA854E1683B74463B6913	A463E30799756FBC830F2F2876EC30AC10CB26BA	A51730C6B2A93621290BCAB6EC90D1FB72EC90D4C4E24B2A11CD04FF3C16909F
C:\Users\user\AppData\Local\igQ\WTSAPI32.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0D2066DE3B0C48AC2327A0FE775FFE6A	522F2FB0DBE0C7109DE245227FC8BFCAA943860A	14DFF84D1E8A1AF2B2DC387E9484A9DA800214AC5496119DF35E59A0B556441F
C:\Users\user\AppData\Local\igQ\wusa.exe	PE32+ executable (GUI) x86-64, for MS Windows	04CE745559916B99248F266BBF5F9ED9	76FA00103A89C735573D1D8946D8787A839475B6	1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
C:\Users\user\AppData\Local\pjo7Mc7lI\SYSDM.CPL	PE32+ executable (DLL) (console) x86-64, for MS Windows	3AA64EB2847BBCE9E3C31FA18E7B9F5D	E749026A2F54435991838F4EE146A346A342BA58	178D81184F3C327ED2BF276E3D00E6C6F3415EEFEA6B3AD6487D038477FCEEDF
C:\Users\user\AppData\Local\pjo7Mc7lI\SystemPropertiesRemote.exe	PE32+ executable (GUI) x86-64, for MS Windows	70E55B55A17F1D1C4047CC678EB936F0	1E6EB17BE9961F27280EEF306490A42302495E69	464B613BF38262C4C088068855B557082D1FCA8F697F8C99D77704471069C32B
C:\Users\user\AppData\Local\qGdjcQqe\WINBRAND.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	06FA4A77517150DC152DD03EF202812D	9891B2A841F9EC52F80343AFC0676731492A8ABA	EFD60F575EDAFA67104912C5398578C69CFCC4618ABD4A4AA29C8A7C1628122D
C:\Users\user\AppData\Local\qGdjcQqe\pwcreator.exe	PE32+ executable (GUI) x86-64, for MS Windows	BF33FA218E0B4F6AEC77616BE0F5DD9D	F3F0A424406B743410F6E5C72209979AC9537FAE	E7760E07BE5CF608CC10FDDF0AB21E765F36962372BF9DA4360DCB196E08425D
C:\Users\user\AppData\Local\uHKs6l\Narrator.exe	PE32+ executable (GUI) x86-64, for MS Windows	56036993FB96C42F30C443A11BD56F4D	93367421725D818963F337F179EE61710BB2ABD3	D3A728CFC32D43A9C96A45EFE6B3B7A21A8435F758C1C382978047982B6ADBB0
C:\Users\user\AppData\Local\uHKs6l\WINMM.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BE85B26E12C6BFA0503499448FD81878	B12FDE317045637F7FF332C8FF422CFE5FFE7BDB	9A6A55C16D44315902FAFB6FE507AF04CB7CD8A3F1286DB3C9ED030C6430947E
C:\Users\user\AppData\Local\ukxAYmxLA\LockScreenContentServer.exe	PE32+ executable (GUI) x86-64, for MS Windows	45E51238434FAF543D66E17EF3783413	1CE0BA884E5C2ADA74A34D10F32A5E7431C66411	DAFF63C2C374463E0CF476B5CBADF2D58D0DADE0BB0C29DDAE543A69BA34FB93
C:\Users\user\AppData\Local\ukxAYmxLA\dwmapi.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	12B57CCEEB262F2166C8F5A2F255ABCE	C53EE689A89C945AE1065152258DDB0C49620E5D	3DE50E5768723366E847A5F1076086F7DB7A6CDF9A564FF247043531B6162386
C:\Users\user\AppData\Local\vbVu\WINMM.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	B6BF5C2E91887A902462C7E8621E0004	5EF91A0F0E0DBBB56E9B55EAD19BEAA3CA6C678B	7A25516846C100F6954FA8A40D73F0834F3D8FC4BE872F53DDA16F11951B853C
C:\Users\user\AppData\Local\vbVu\mspaint.exe	PE32+ executable (GUI) x86-64, for MS Windows	99F86A0D360FD9A3FCAD6B1E7D92A90C	65F36247C0FFBB881947F68B352128C0C9CFCBE5	D46519B76D09DFF8BC5C7B34A4E73AD8E7CF6E4C40BDAD6C769E34A099ECE017
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	94883D0CAF88428A2154B4F79D3E2671	4990F6F80F7422B65130FF1D54DBB1B9EDE66F09	BD29BBB8364271950A6B4BD3119F038011F0A5FF3042462D403784837EBA53CF

Windows Analysis Report CiEceGPoOR

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map