Windows Analysis Report yPeVDkBY3n

Overview

General Information

Sample Name: yPeVDkBY3n (renamed file extension from none to dll)
Analysis ID: 492878
MD5: 2cd9944b4c51630053a486adf9ba7928
SHA1: fbbe87d4587c694c6b44870bb99e30e1d48d1c06
SHA256: a92176c5e1216a097c14b387a64e96684497919d0777250897db8896331613ca
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: yPeVDkBY3n.dll Virustotal: Detection: 64% Perma Link
Source: yPeVDkBY3n.dll Metadefender: Detection: 62% Perma Link
Source: yPeVDkBY3n.dll ReversingLabs: Detection: 75%
Antivirus / Scanner detection for submitted sample
Source: yPeVDkBY3n.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\iBq\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\xnA\dwmapi.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\SbH2\NETPLWIZ.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wer.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\NMBpLf1V\SYSDM.CPL Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\r4gbgdji\ReAgent.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wer.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\lW7exk8\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wer.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: yPeVDkBY3n.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000029.00000002.516210591.00007FF609423000.00000002.00020000.sdmp, rdpinput.exe.6.dr
Source: Binary string: netplwiz.pdb source: Netplwiz.exe, 00000016.00000000.340021243.00007FF7D7314000.00000002.00020000.sdmp, Netplwiz.exe.6.dr
Source: Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 00000016.00000000.340021243.00007FF7D7314000.00000002.00020000.sdmp, Netplwiz.exe.6.dr
Source: Binary string: wbengine.pdbGCTL source: wbengine.exe.6.dr
Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 0000001F.00000000.405014685.00007FF6DC4D0000.00000002.00020000.sdmp, phoneactivate.exe.6.dr
Source: Binary string: wbengine.pdb source: wbengine.exe.6.dr
Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000024.00000002.461794461.00007FF7E2165000.00000002.00020000.sdmp, wermgr.exe, 00000027.00000000.463164776.00007FF75F9C5000.00000002.00020000.sdmp, wermgr.exe.6.dr
Source: Binary string: SystemPropertiesProtection.pdb source: SystemPropertiesProtection.exe.6.dr
Source: Binary string: SystemPropertiesProtection.pdbGCTL source: SystemPropertiesProtection.exe.6.dr
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe.6.dr
Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 0000001F.00000000.405014685.00007FF6DC4D0000.00000002.00020000.sdmp, phoneactivate.exe.6.dr
Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000029.00000002.516210591.00007FF609423000.00000002.00020000.sdmp, rdpinput.exe.6.dr
Source: Binary string: recdisc.pdb source: recdisc.exe, 0000001B.00000000.366530322.00007FF6C2013000.00000002.00020000.sdmp, recdisc.exe.6.dr
Source: Binary string: recdisc.pdbGCTL source: recdisc.exe, 0000001B.00000000.366530322.00007FF6C2013000.00000002.00020000.sdmp, recdisc.exe.6.dr
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe.6.dr
Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000024.00000002.461794461.00007FF7E2165000.00000002.00020000.sdmp, wermgr.exe, 00000027.00000000.463164776.00007FF75F9C5000.00000002.00020000.sdmp, wermgr.exe.6.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C20062CC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose, 27_2_00007FF6C20062CC
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2161BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 36_2_00007FF7E2161BA0
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 36_2_00007FF7E215BE54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9BBE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 39_2_00007FF75F9BBE54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 39_2_00007FF75F9C1BA0
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200A050 memset,CoCreateGuid,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,CloseHandle,CreateFileW,CloseHandle,CloseHandle, 27_2_00007FF6C200A050
Source: phoneactivate.exe String found in binary or memory: http://schemas.mic
Source: explorer.exe, 00000006.00000000.273503366.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000016.00000002.362816566.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.334340057.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.458324438.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.388799941.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.267627821.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.273313020.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.485059141.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.426654754.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.514047905.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252235999.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.260064173.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034870 1_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035270 1_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 1_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140065B80 1_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 1_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400524B0 1_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026CC0 1_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004BD40 1_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400495B0 1_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036F30 1_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069010 1_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001010 1_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140066020 1_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F840 1_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D850 1_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064080 1_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140010880 1_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400688A0 1_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D0D0 1_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400018D0 1_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016100 1_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D100 1_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A110 1_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D910 1_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140015120 1_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000B120 1_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F940 1_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140039140 1_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023140 1_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057950 1_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001E170 1_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140002980 1_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400611A0 1_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400389A0 1_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400381A0 1_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E1B0 1_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400139D0 1_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400319F0 1_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EA00 1_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022A00 1_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003B220 1_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140067A40 1_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069A50 1_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007A60 1_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003AAC0 1_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A2E0 1_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140062B00 1_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018300 1_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FB20 1_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031340 1_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022340 1_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140017B40 1_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000BB40 1_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004EB60 1_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005370 1_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002CB80 1_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B390 1_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140054BA0 1_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033BB0 1_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400263C0 1_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400123C0 1_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063BD0 1_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400663F0 1_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023BF0 1_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B41B 1_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B424 1_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B42D 1_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B436 1_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B43D 1_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024440 1_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005C40 1_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B446 1_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005F490 1_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022D00 1_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035520 1_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019D20 1_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030530 1_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140023530 1_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031540 1_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033540 1_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014007BD50 1_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140078570 1_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019580 1_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400205A0 1_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025DB0 1_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140071DC0 1_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000C5C0 1_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002DDE0 1_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031DF0 1_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000DDF0 1_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001620 1_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018630 1_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032650 1_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140064E80 1_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016E80 1_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140007EA0 1_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400286B0 1_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006EB0 1_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400276C0 1_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002FEC0 1_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002EED0 1_2_000000014002EED0
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7312B04 22_2_00007FF7D7312B04
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200D96C 27_2_00007FF6C200D96C
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C20092C4 27_2_00007FF6C20092C4
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200231C 27_2_00007FF6C200231C
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CB9B4 31_2_00007FF6DC4CB9B4
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C5998 31_2_00007FF6DC4C5998
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CD570 31_2_00007FF6DC4CD570
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C5364 31_2_00007FF6DC4C5364
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CCE28 31_2_00007FF6DC4CCE28
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CD220 31_2_00007FF6DC4CD220
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C97D4 31_2_00007FF6DC4C97D4
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C83BC 31_2_00007FF6DC4C83BC
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C91DC 31_2_00007FF6DC4C91DC
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CA094 31_2_00007FF6DC4CA094
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C8058 31_2_00007FF6DC4C8058
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C730C 31_2_00007FF6DC4C730C
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C12F8 31_2_00007FF6DC4C12F8
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C6920 31_2_00007FF6DC4C6920
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C5EE0 31_2_00007FF6DC4C5EE0
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C84DC 31_2_00007FF6DC4C84DC
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2152F54 36_2_00007FF7E2152F54
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215E368 36_2_00007FF7E215E368
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215CFF0 36_2_00007FF7E215CFF0
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2162438 36_2_00007FF7E2162438
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2156848 36_2_00007FF7E2156848
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2160A58 36_2_00007FF7E2160A58
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2157EFC 36_2_00007FF7E2157EFC
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B7EFC 39_2_00007FF75F9B7EFC
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C2438 39_2_00007FF75F9C2438
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B6848 39_2_00007FF75F9B6848
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C0A58 39_2_00007FF75F9C0A58
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9BCFF0 39_2_00007FF75F9BCFF0
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B2F54 39_2_00007FF75F9B2F54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9BE368 39_2_00007FF75F9BE368
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609402578 41_2_00007FF609402578
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF60940FD48 41_2_00007FF60940FD48
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609403BE0 41_2_00007FF609403BE0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: String function: 00007FF6C2005D7C appears 58 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140046C90 NtClose, 1_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006A4B0 NtQuerySystemInformation, 1_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C2009F88 NtQuerySystemInformation, 27_2_00007FF6C2009F88
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C20115EC memset,CreateFileW,memset,NtQueryInformationFile,NtSetInformationFile,CloseHandle, 27_2_00007FF6C20115EC
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C2011460 CreateFileW,NtQueryInformationFile,CloseHandle, 27_2_00007FF6C2011460
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2161F54 NtQueryLicenseValue, 36_2_00007FF7E2161F54
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 36_2_00007FF7E215E368
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2158404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 36_2_00007FF7E2158404
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2162438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 36_2_00007FF7E2162438
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E21582EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 36_2_00007FF7E21582EC
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B82EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 39_2_00007FF75F9B82EC
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C2438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 39_2_00007FF75F9C2438
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B8404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 39_2_00007FF75F9B8404
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C1F54 NtQueryLicenseValue, 39_2_00007FF75F9C1F54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9BE368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 39_2_00007FF75F9BE368
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C20065A0: CreateFileW,DeviceIoControl,CloseHandle, 27_2_00007FF6C20065A0
Sample file is different than original file name gathered from version info
Source: yPeVDkBY3n.dll Binary or memory string: OriginalFilenamekbdyj% vs yPeVDkBY3n.dll
PE file contains strange resources
Source: Netplwiz.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: recdisc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wermgr.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesProtection.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesProtection.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesProtection.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: DUI70.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: yPeVDkBY3n.dll Static PE information: Number of sections : 31 > 10
Source: wer.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: WINSTA.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: SYSDM.CPL.6.dr Static PE information: Number of sections : 32 > 10
Source: ReAgent.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: NETPLWIZ.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: wer.dll0.6.dr Static PE information: Number of sections : 32 > 10
Source: dwmapi.dll.6.dr Static PE information: Number of sections : 32 > 10
Source: wer.dll1.6.dr Static PE information: Number of sections : 32 > 10
Source: yPeVDkBY3n.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NETPLWIZ.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ReAgent.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wer.dll1.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yPeVDkBY3n.dll Virustotal: Detection: 64%
Source: yPeVDkBY3n.dll Metadefender: Detection: 62%
Source: yPeVDkBY3n.dll ReversingLabs: Detection: 75%
Source: yPeVDkBY3n.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Netplwiz.exe C:\Windows\system32\Netplwiz.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe C:\Users\user\AppData\Local\SbH2\Netplwiz.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iBq\rdpinput.exe C:\Users\user\AppData\Local\iBq\rdpinput.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yPeVDkBY3n.dll,??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Netplwiz.exe C:\Windows\system32\Netplwiz.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iBq\rdpinput.exe C:\Users\user\AppData\Local\iBq\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Jump to behavior
Source: wbengine.exe.6.dr Binary string: 3Z((HANDLE)(LONG_PTR)-1) != hFilebase\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cppExtractVolumePath(ssPath, ssVolumePath)SplitDirPath( ssDirPath, ssParentDir, ssDirName )GetParentPaths(ssPath, arrstrPaths)ssDirPath.Length() != 0base\stor\blb\dsm\dsmutils\dll\fsutils.cpppstrPath != 0pstrName != 0CLOCK$COMLPTCONPRNAUXNUL\\?\GLOBALROOT\Device\base\stor\blb\dsm\dsmutils\dll\fsutils.cppInvalid path:%lsssPath.Length() > 0GetVolumePrefixLength failed for %lsFailed to parse path:%lsExtractVolumePath(ssWorkingPath, ssVolumePath)ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'(((HRESULT)(hrReason)) < 0)pstrPath && pstrPath[0]pfIsReparsedppstrReparsePtPath && (*ppstrReparsePtPath == 0)GetFileAttributes() failed on:%lsIsPathMountPoint(ssPath.PeekStr(), &fMountPoint)pszVolumePath != 0phVolume != 0ssVolumePath[ssVolumePath.Length() - 1] == L'\\'Failed to open volume:%ls((HANDLE)(LONG_PTR)-1) == hVolumeppstrPath && *ppstrPath == 0dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'0 != pdwFileAttributesGetFileInformationByHandle(hFile, &fileInfo)0 != lpstrFilePathCreateFile unsuccessful for %wsFSWrapperGetFileAttributes(hFile, pdwFileAttributes)0 != pFileAttributesGetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))GetFileSize failed for %ws((DWORD)-1) != dwFileAttributesGetFileInformationByHandleEx failedSetFileInformationByHandle failedFSWrapperSetFileAttributes(hFile, dwFileAttributes)SplitDirPath(strPath, strParent, strChild)Path %S is invalid as it contains a '.' or '..', hr=0x%08xHRESULT_FROM_WIN32(GetLastError())wszPath && wszPath[0]pfIsPathMountPoint
Source: wbengine.exe.6.dr Binary string: abase\stor\blb\engine\blbengutils\blbvolumeutils.cpppbFloppypguidVolumeId != NULLpbIsCritical != NULLpguidVolumeIdwszMountedDeviceNamewszVolumeGuidpwszReparsePointName\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%dWsbMountedVolumeFile%lu_%spVolumeCatrgVolumeLocalwszVolumeGuidPathpwszVolumeGlobalRootPathVolume%ws\\?\GLOBALROOT%wspdwlJournalIdplastUsnwszVolumeName && *wszVolumeNamepbPerformResizepdwlUsnSizevssSnapshotId != GUID_NULLdwlJournalId != BLB_INVALID_USN_JOURNAL_IDusnBeforeSnapShot != BLB_INVALID_USN_IDwszBackupSetDirectorypwszVhdPathwszVolumeName != NULLpbIsVolumeOnSharedDisk != NULLpbIsCSVpdwVolumeNumber?UV9
Source: wbengine.exe.6.dr Binary string: base\stor\blb\catalog\compare.cpprowid1 != rowid2pKey->m_type == pCol->m_typepRow1 > pRow2_hImpersonationToken != INVALID_HANDLE_VALUEbase\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsuCurrentBit < HintSpaceBitmapSizeExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecovery\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\{{3808876B-C176-4e48-B7AE-04046E6CC752}ReplicationContext->FirstBlock != NULLIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGBackupFileName != NULLReplicationHandleReplicationContext != NULLoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSizereadBuffer != NULL\pagefile.sys\hiberfil.sys!IsListEmpty(&diffsInSource){IQ
Source: wbengine.exe.6.dr Binary string: e\\?\Globalroot\Device\Harddisk%lu\Partition1\\?\Globalroot\Device\Harddisk%lu\Partition2\\?\Globalroot\Device\HarddiskVolume%luChild_{47b7fa87-ce42-48ff-8b18-2f1088121503}WindowsBackupLinksbase\stor\blb\engine\blbengutils\blbvhdhelper.cppwszVhdFile && *wszVhdFilepwszVolumeDevicePathwszDiskPath && *wszDiskPathpwszVolumePathwszMountedDeviceName && *wszMountedDeviceNamepCBlbVhdwszMountedVolumePathNoSlash && *wszMountedVolumePathNoSlashpVhdContextpVhdContextForRemovalwszVolumeDevicePath && *wszVolumeDevicePathppVhdContextpVhdContext->m_pCBlbVhdsdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 || sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfopbIsVolVirtualppStorageDepInfowszTargetVolName && *wszTargetVolNamewszVirtualSrcVolName && *wszVirtualSrcVolNamepbIsVirtualSrcVolDependantpVolumeVHDInfo != NULLpstDepInfo != NULLpstDepInfoType2MaxAncestor != NULLpwszDiffVhdFilePath && pwszVhdTempPath%ws_%ws_%wspProgressReportCallbackContextwszVHDVolumeDevicePathpbCompactionRequiredwszVhdFilepGuidSnapshotIdwszVHDVolumeDevicePath && *wszVHDVolumeDevicePathpdwVHDDeviceDiskNumberpVhdHandle
Source: classification engine Classification label: mal92.troj.evad.winDLL@41/19@0/0
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200D96C CoCreateGuid,CoCreateInstance,CoCreateInstance,SysAllocString,SysAllocString,SHCreateStreamOnFileEx,CoTaskMemAlloc,CoTaskMemFree,SysFreeString,SysFreeString, 27_2_00007FF6C200D96C
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor, 36_2_00007FF7E215DE98
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor, 39_2_00007FF75F9BDE98
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200A050 memset,CoCreateGuid,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,CloseHandle,CreateFileW,CloseHandle,CloseHandle, 27_2_00007FF6C200A050
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609404B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep, 41_2_00007FF609404B74
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2151A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle, 36_2_00007FF7E2151A70
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Mutant created: \Sessions\1\BaseNamedObjects\{deb7f765-e69b-728c-3180-fd487bbd6ce1}
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Mutant created: \Sessions\1\BaseNamedObjects\{274fd39f-8d8a-b1de-df00-37bf686eafd0}
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C4794 FindResourceExW,GetLastError,LoadResource,LockResource, 31_2_00007FF6DC4C4794
Source: yPeVDkBY3n.dll Static PE information: More than 4319 > 100 exports found
Source: yPeVDkBY3n.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: yPeVDkBY3n.dll Static file information: File size 2330624 > 1048576
Source: yPeVDkBY3n.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000029.00000002.516210591.00007FF609423000.00000002.00020000.sdmp, rdpinput.exe.6.dr
Source: Binary string: netplwiz.pdb source: Netplwiz.exe, 00000016.00000000.340021243.00007FF7D7314000.00000002.00020000.sdmp, Netplwiz.exe.6.dr
Source: Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 00000016.00000000.340021243.00007FF7D7314000.00000002.00020000.sdmp, Netplwiz.exe.6.dr
Source: Binary string: wbengine.pdbGCTL source: wbengine.exe.6.dr
Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 0000001F.00000000.405014685.00007FF6DC4D0000.00000002.00020000.sdmp, phoneactivate.exe.6.dr
Source: Binary string: wbengine.pdb source: wbengine.exe.6.dr
Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000024.00000002.461794461.00007FF7E2165000.00000002.00020000.sdmp, wermgr.exe, 00000027.00000000.463164776.00007FF75F9C5000.00000002.00020000.sdmp, wermgr.exe.6.dr
Source: Binary string: SystemPropertiesProtection.pdb source: SystemPropertiesProtection.exe.6.dr
Source: Binary string: SystemPropertiesProtection.pdbGCTL source: SystemPropertiesProtection.exe.6.dr
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe.6.dr
Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 0000001F.00000000.405014685.00007FF6DC4D0000.00000002.00020000.sdmp, phoneactivate.exe.6.dr
Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000029.00000002.516210591.00007FF609423000.00000002.00020000.sdmp, rdpinput.exe.6.dr
Source: Binary string: recdisc.pdb source: recdisc.exe, 0000001B.00000000.366530322.00007FF6C2013000.00000002.00020000.sdmp, recdisc.exe.6.dr
Source: Binary string: recdisc.pdbGCTL source: recdisc.exe, 0000001B.00000000.366530322.00007FF6C2013000.00000002.00020000.sdmp, recdisc.exe.6.dr
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe.6.dr
Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000024.00000002.461794461.00007FF7E2165000.00000002.00020000.sdmp, wermgr.exe, 00000027.00000000.463164776.00007FF75F9C5000.00000002.00020000.sdmp, wermgr.exe.6.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140056A4D push rdi; ret 1_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609405E92 push rcx; ret 41_2_00007FF609405E93
PE file contains sections with non-standard names
Source: yPeVDkBY3n.dll Static PE information: section name: .qkm
Source: yPeVDkBY3n.dll Static PE information: section name: .cvjb
Source: yPeVDkBY3n.dll Static PE information: section name: .tlmkv
Source: yPeVDkBY3n.dll Static PE information: section name: .wucsxe
Source: yPeVDkBY3n.dll Static PE information: section name: .fltwtj
Source: yPeVDkBY3n.dll Static PE information: section name: .tblq
Source: yPeVDkBY3n.dll Static PE information: section name: .hcmjm
Source: yPeVDkBY3n.dll Static PE information: section name: .nagyk
Source: yPeVDkBY3n.dll Static PE information: section name: .jrucz
Source: yPeVDkBY3n.dll Static PE information: section name: .rnr
Source: yPeVDkBY3n.dll Static PE information: section name: .ths
Source: yPeVDkBY3n.dll Static PE information: section name: .uuy
Source: yPeVDkBY3n.dll Static PE information: section name: .llcgmp
Source: yPeVDkBY3n.dll Static PE information: section name: .zibji
Source: yPeVDkBY3n.dll Static PE information: section name: .nnbdme
Source: yPeVDkBY3n.dll Static PE information: section name: .oxoht
Source: yPeVDkBY3n.dll Static PE information: section name: .poofxn
Source: yPeVDkBY3n.dll Static PE information: section name: .yoxffm
Source: yPeVDkBY3n.dll Static PE information: section name: .lbp
Source: yPeVDkBY3n.dll Static PE information: section name: .cmyjh
Source: yPeVDkBY3n.dll Static PE information: section name: .khlpd
Source: yPeVDkBY3n.dll Static PE information: section name: .ksydf
Source: yPeVDkBY3n.dll Static PE information: section name: .jtgc
Source: yPeVDkBY3n.dll Static PE information: section name: .ivi
Source: yPeVDkBY3n.dll Static PE information: section name: .sqcys
Source: phoneactivate.exe.6.dr Static PE information: section name: .imrsiv
Source: wermgr.exe.6.dr Static PE information: section name: .imrsiv
Source: wermgr.exe.6.dr Static PE information: section name: .didat
Source: wermgr.exe0.6.dr Static PE information: section name: .imrsiv
Source: wermgr.exe0.6.dr Static PE information: section name: .didat
Source: WMPDMC.exe.6.dr Static PE information: section name: .didat
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .qkm
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .cvjb
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .tlmkv
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .wucsxe
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .fltwtj
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .tblq
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .hcmjm
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .nagyk
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .jrucz
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .rnr
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .ths
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .uuy
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .llcgmp
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .zibji
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .nnbdme
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .oxoht
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .poofxn
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .yoxffm
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .lbp
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .cmyjh
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .khlpd
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .ksydf
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .jtgc
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .ivi
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .sqcys
Source: NETPLWIZ.dll.6.dr Static PE information: section name: .pyswvk
Source: ReAgent.dll.6.dr Static PE information: section name: .qkm
Source: ReAgent.dll.6.dr Static PE information: section name: .cvjb
Source: ReAgent.dll.6.dr Static PE information: section name: .tlmkv
Source: ReAgent.dll.6.dr Static PE information: section name: .wucsxe
Source: ReAgent.dll.6.dr Static PE information: section name: .fltwtj
Source: ReAgent.dll.6.dr Static PE information: section name: .tblq
Source: ReAgent.dll.6.dr Static PE information: section name: .hcmjm
Source: ReAgent.dll.6.dr Static PE information: section name: .nagyk
Source: ReAgent.dll.6.dr Static PE information: section name: .jrucz
Source: ReAgent.dll.6.dr Static PE information: section name: .rnr
Source: ReAgent.dll.6.dr Static PE information: section name: .ths
Source: ReAgent.dll.6.dr Static PE information: section name: .uuy
Source: ReAgent.dll.6.dr Static PE information: section name: .llcgmp
Source: ReAgent.dll.6.dr Static PE information: section name: .zibji
Source: ReAgent.dll.6.dr Static PE information: section name: .nnbdme
Source: ReAgent.dll.6.dr Static PE information: section name: .oxoht
Source: ReAgent.dll.6.dr Static PE information: section name: .poofxn
Source: ReAgent.dll.6.dr Static PE information: section name: .yoxffm
Source: ReAgent.dll.6.dr Static PE information: section name: .lbp
Source: ReAgent.dll.6.dr Static PE information: section name: .cmyjh
Source: ReAgent.dll.6.dr Static PE information: section name: .khlpd
Source: ReAgent.dll.6.dr Static PE information: section name: .ksydf
Source: ReAgent.dll.6.dr Static PE information: section name: .jtgc
Source: ReAgent.dll.6.dr Static PE information: section name: .ivi
Source: ReAgent.dll.6.dr Static PE information: section name: .sqcys
Source: ReAgent.dll.6.dr Static PE information: section name: .xfh
Source: DUI70.dll.6.dr Static PE information: section name: .qkm
Source: DUI70.dll.6.dr Static PE information: section name: .cvjb
Source: DUI70.dll.6.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.6.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.6.dr Static PE information: section name: .fltwtj
Source: DUI70.dll.6.dr Static PE information: section name: .tblq
Source: DUI70.dll.6.dr Static PE information: section name: .hcmjm
Source: DUI70.dll.6.dr Static PE information: section name: .nagyk
Source: DUI70.dll.6.dr Static PE information: section name: .jrucz
Source: DUI70.dll.6.dr Static PE information: section name: .rnr
Source: DUI70.dll.6.dr Static PE information: section name: .ths
Source: DUI70.dll.6.dr Static PE information: section name: .uuy
Source: DUI70.dll.6.dr Static PE information: section name: .llcgmp
Source: DUI70.dll.6.dr Static PE information: section name: .zibji
Source: DUI70.dll.6.dr Static PE information: section name: .nnbdme
Source: DUI70.dll.6.dr Static PE information: section name: .oxoht
Source: DUI70.dll.6.dr Static PE information: section name: .poofxn
Source: DUI70.dll.6.dr Static PE information: section name: .yoxffm
Source: DUI70.dll.6.dr Static PE information: section name: .lbp
Source: DUI70.dll.6.dr Static PE information: section name: .cmyjh
Source: DUI70.dll.6.dr Static PE information: section name: .khlpd
Source: DUI70.dll.6.dr Static PE information: section name: .ksydf
Source: DUI70.dll.6.dr Static PE information: section name: .jtgc
Source: DUI70.dll.6.dr Static PE information: section name: .ivi
Source: DUI70.dll.6.dr Static PE information: section name: .sqcys
Source: DUI70.dll.6.dr Static PE information: section name: .grwy
Source: wer.dll.6.dr Static PE information: section name: .qkm
Source: wer.dll.6.dr Static PE information: section name: .cvjb
Source: wer.dll.6.dr Static PE information: section name: .tlmkv
Source: wer.dll.6.dr Static PE information: section name: .wucsxe
Source: wer.dll.6.dr Static PE information: section name: .fltwtj
Source: wer.dll.6.dr Static PE information: section name: .tblq
Source: wer.dll.6.dr Static PE information: section name: .hcmjm
Source: wer.dll.6.dr Static PE information: section name: .nagyk
Source: wer.dll.6.dr Static PE information: section name: .jrucz
Source: wer.dll.6.dr Static PE information: section name: .rnr
Source: wer.dll.6.dr Static PE information: section name: .ths
Source: wer.dll.6.dr Static PE information: section name: .uuy
Source: wer.dll.6.dr Static PE information: section name: .llcgmp
Source: wer.dll.6.dr Static PE information: section name: .zibji
Source: wer.dll.6.dr Static PE information: section name: .nnbdme
Source: wer.dll.6.dr Static PE information: section name: .oxoht
Source: wer.dll.6.dr Static PE information: section name: .poofxn
Source: wer.dll.6.dr Static PE information: section name: .yoxffm
Source: wer.dll.6.dr Static PE information: section name: .lbp
Source: wer.dll.6.dr Static PE information: section name: .cmyjh
Source: wer.dll.6.dr Static PE information: section name: .khlpd
Source: wer.dll.6.dr Static PE information: section name: .ksydf
Source: wer.dll.6.dr Static PE information: section name: .jtgc
Source: wer.dll.6.dr Static PE information: section name: .ivi
Source: wer.dll.6.dr Static PE information: section name: .sqcys
Source: wer.dll.6.dr Static PE information: section name: .qbg
Source: wer.dll0.6.dr Static PE information: section name: .qkm
Source: wer.dll0.6.dr Static PE information: section name: .cvjb
Source: wer.dll0.6.dr Static PE information: section name: .tlmkv
Source: wer.dll0.6.dr Static PE information: section name: .wucsxe
Source: wer.dll0.6.dr Static PE information: section name: .fltwtj
Source: wer.dll0.6.dr Static PE information: section name: .tblq
Source: wer.dll0.6.dr Static PE information: section name: .hcmjm
Source: wer.dll0.6.dr Static PE information: section name: .nagyk
Source: wer.dll0.6.dr Static PE information: section name: .jrucz
Source: wer.dll0.6.dr Static PE information: section name: .rnr
Source: wer.dll0.6.dr Static PE information: section name: .ths
Source: wer.dll0.6.dr Static PE information: section name: .uuy
Source: wer.dll0.6.dr Static PE information: section name: .llcgmp
Source: wer.dll0.6.dr Static PE information: section name: .zibji
Source: wer.dll0.6.dr Static PE information: section name: .nnbdme
Source: wer.dll0.6.dr Static PE information: section name: .oxoht
Source: wer.dll0.6.dr Static PE information: section name: .poofxn
Source: wer.dll0.6.dr Static PE information: section name: .yoxffm
Source: wer.dll0.6.dr Static PE information: section name: .lbp
Source: wer.dll0.6.dr Static PE information: section name: .cmyjh
Source: wer.dll0.6.dr Static PE information: section name: .khlpd
Source: wer.dll0.6.dr Static PE information: section name: .ksydf
Source: wer.dll0.6.dr Static PE information: section name: .jtgc
Source: wer.dll0.6.dr Static PE information: section name: .ivi
Source: wer.dll0.6.dr Static PE information: section name: .sqcys
Source: wer.dll0.6.dr Static PE information: section name: .kjh
Source: WINSTA.dll.6.dr Static PE information: section name: .qkm
Source: WINSTA.dll.6.dr Static PE information: section name: .cvjb
Source: WINSTA.dll.6.dr Static PE information: section name: .tlmkv
Source: WINSTA.dll.6.dr Static PE information: section name: .wucsxe
Source: WINSTA.dll.6.dr Static PE information: section name: .fltwtj
Source: WINSTA.dll.6.dr Static PE information: section name: .tblq
Source: WINSTA.dll.6.dr Static PE information: section name: .hcmjm
Source: WINSTA.dll.6.dr Static PE information: section name: .nagyk
Source: WINSTA.dll.6.dr Static PE information: section name: .jrucz
Source: WINSTA.dll.6.dr Static PE information: section name: .rnr
Source: WINSTA.dll.6.dr Static PE information: section name: .ths
Source: WINSTA.dll.6.dr Static PE information: section name: .uuy
Source: WINSTA.dll.6.dr Static PE information: section name: .llcgmp
Source: WINSTA.dll.6.dr Static PE information: section name: .zibji
Source: WINSTA.dll.6.dr Static PE information: section name: .nnbdme
Source: WINSTA.dll.6.dr Static PE information: section name: .oxoht
Source: WINSTA.dll.6.dr Static PE information: section name: .poofxn
Source: WINSTA.dll.6.dr Static PE information: section name: .yoxffm
Source: WINSTA.dll.6.dr Static PE information: section name: .lbp
Source: WINSTA.dll.6.dr Static PE information: section name: .cmyjh
Source: WINSTA.dll.6.dr Static PE information: section name: .khlpd
Source: WINSTA.dll.6.dr Static PE information: section name: .ksydf
Source: WINSTA.dll.6.dr Static PE information: section name: .jtgc
Source: WINSTA.dll.6.dr Static PE information: section name: .ivi
Source: WINSTA.dll.6.dr Static PE information: section name: .sqcys
Source: WINSTA.dll.6.dr Static PE information: section name: .iwang
Source: SYSDM.CPL.6.dr Static PE information: section name: .qkm
Source: SYSDM.CPL.6.dr Static PE information: section name: .cvjb
Source: SYSDM.CPL.6.dr Static PE information: section name: .tlmkv
Source: SYSDM.CPL.6.dr Static PE information: section name: .wucsxe
Source: SYSDM.CPL.6.dr Static PE information: section name: .fltwtj
Source: SYSDM.CPL.6.dr Static PE information: section name: .tblq
Source: SYSDM.CPL.6.dr Static PE information: section name: .hcmjm
Source: SYSDM.CPL.6.dr Static PE information: section name: .nagyk
Source: SYSDM.CPL.6.dr Static PE information: section name: .jrucz
Source: SYSDM.CPL.6.dr Static PE information: section name: .rnr
Source: SYSDM.CPL.6.dr Static PE information: section name: .ths
Source: SYSDM.CPL.6.dr Static PE information: section name: .uuy
Source: SYSDM.CPL.6.dr Static PE information: section name: .llcgmp
Source: SYSDM.CPL.6.dr Static PE information: section name: .zibji
Source: SYSDM.CPL.6.dr Static PE information: section name: .nnbdme
Source: SYSDM.CPL.6.dr Static PE information: section name: .oxoht
Source: SYSDM.CPL.6.dr Static PE information: section name: .poofxn
Source: SYSDM.CPL.6.dr Static PE information: section name: .yoxffm
Source: SYSDM.CPL.6.dr Static PE information: section name: .lbp
Source: SYSDM.CPL.6.dr Static PE information: section name: .cmyjh
Source: SYSDM.CPL.6.dr Static PE information: section name: .khlpd
Source: SYSDM.CPL.6.dr Static PE information: section name: .ksydf
Source: SYSDM.CPL.6.dr Static PE information: section name: .jtgc
Source: SYSDM.CPL.6.dr Static PE information: section name: .ivi
Source: SYSDM.CPL.6.dr Static PE information: section name: .sqcys
Source: SYSDM.CPL.6.dr Static PE information: section name: .gkwrn
Source: dwmapi.dll.6.dr Static PE information: section name: .qkm
Source: dwmapi.dll.6.dr Static PE information: section name: .cvjb
Source: dwmapi.dll.6.dr Static PE information: section name: .tlmkv
Source: dwmapi.dll.6.dr Static PE information: section name: .wucsxe
Source: dwmapi.dll.6.dr Static PE information: section name: .fltwtj
Source: dwmapi.dll.6.dr Static PE information: section name: .tblq
Source: dwmapi.dll.6.dr Static PE information: section name: .hcmjm
Source: dwmapi.dll.6.dr Static PE information: section name: .nagyk
Source: dwmapi.dll.6.dr Static PE information: section name: .jrucz
Source: dwmapi.dll.6.dr Static PE information: section name: .rnr
Source: dwmapi.dll.6.dr Static PE information: section name: .ths
Source: dwmapi.dll.6.dr Static PE information: section name: .uuy
Source: dwmapi.dll.6.dr Static PE information: section name: .llcgmp
Source: dwmapi.dll.6.dr Static PE information: section name: .zibji
Source: dwmapi.dll.6.dr Static PE information: section name: .nnbdme
Source: dwmapi.dll.6.dr Static PE information: section name: .oxoht
Source: dwmapi.dll.6.dr Static PE information: section name: .poofxn
Source: dwmapi.dll.6.dr Static PE information: section name: .yoxffm
Source: dwmapi.dll.6.dr Static PE information: section name: .lbp
Source: dwmapi.dll.6.dr Static PE information: section name: .cmyjh
Source: dwmapi.dll.6.dr Static PE information: section name: .khlpd
Source: dwmapi.dll.6.dr Static PE information: section name: .ksydf
Source: dwmapi.dll.6.dr Static PE information: section name: .jtgc
Source: dwmapi.dll.6.dr Static PE information: section name: .ivi
Source: dwmapi.dll.6.dr Static PE information: section name: .sqcys
Source: dwmapi.dll.6.dr Static PE information: section name: .hmami
Source: wer.dll1.6.dr Static PE information: section name: .qkm
Source: wer.dll1.6.dr Static PE information: section name: .cvjb
Source: wer.dll1.6.dr Static PE information: section name: .tlmkv
Source: wer.dll1.6.dr Static PE information: section name: .wucsxe
Source: wer.dll1.6.dr Static PE information: section name: .fltwtj
Source: wer.dll1.6.dr Static PE information: section name: .tblq
Source: wer.dll1.6.dr Static PE information: section name: .hcmjm
Source: wer.dll1.6.dr Static PE information: section name: .nagyk
Source: wer.dll1.6.dr Static PE information: section name: .jrucz
Source: wer.dll1.6.dr Static PE information: section name: .rnr
Source: wer.dll1.6.dr Static PE information: section name: .ths
Source: wer.dll1.6.dr Static PE information: section name: .uuy
Source: wer.dll1.6.dr Static PE information: section name: .llcgmp
Source: wer.dll1.6.dr Static PE information: section name: .zibji
Source: wer.dll1.6.dr Static PE information: section name: .nnbdme
Source: wer.dll1.6.dr Static PE information: section name: .oxoht
Source: wer.dll1.6.dr Static PE information: section name: .poofxn
Source: wer.dll1.6.dr Static PE information: section name: .yoxffm
Source: wer.dll1.6.dr Static PE information: section name: .lbp
Source: wer.dll1.6.dr Static PE information: section name: .cmyjh
Source: wer.dll1.6.dr Static PE information: section name: .khlpd
Source: wer.dll1.6.dr Static PE information: section name: .ksydf
Source: wer.dll1.6.dr Static PE information: section name: .jtgc
Source: wer.dll1.6.dr Static PE information: section name: .ivi
Source: wer.dll1.6.dr Static PE information: section name: .sqcys
Source: wer.dll1.6.dr Static PE information: section name: .uxnmn
PE file contains an invalid checksum
Source: DUI70.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x289607
Source: yPeVDkBY3n.dll Static PE information: real checksum: 0x7d786c40 should be: 0x2428c2
Source: wer.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x23b447
Source: WINSTA.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x243435
Source: SYSDM.CPL.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x2420d8
Source: ReAgent.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x23e2c0
Source: NETPLWIZ.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x249738
Source: wer.dll0.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x23b64a
Source: dwmapi.dll.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x243847
Source: wer.dll1.6.dr Static PE information: real checksum: 0x7d786c40 should be: 0x249d95
Binary contains a suspicious time stamp
Source: Netplwiz.exe.6.dr Static PE information: 0xD5E5CD76 [Sun Sep 19 19:22:30 2083 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NMBpLf1V\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iBq\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xnA\WMPDMC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\r4gbgdji\ReAgent.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\02vERQ6Eo\wer.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lW7exk8\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JaJWNKcB\wer.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NMBpLf1V\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NMBpLf1V\SystemPropertiesProtection.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SbH2\NETPLWIZ.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iBq\rdpinput.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xnA\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4S1sd\wbengine.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4S1sd\wer.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609404B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep, 41_2_00007FF609404B74

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609413F94 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 41_2_00007FF609413F94
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4140 Thread sleep count: 36 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\xnA\WMPDMC.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\NMBpLf1V\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\NMBpLf1V\SystemPropertiesProtection.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\xnA\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\4S1sd\wbengine.exe Jump to dropped file
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2157BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF7E2157CE0h 36_2_00007FF7E2157BC4
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9B7BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF75F9B7CE0h 39_2_00007FF75F9B7BC4
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C340 GetSystemInfo, 1_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005D290 FindFirstFileExW, 1_2_000000014005D290
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C20062CC memset,memset,FindFirstFileW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,FindClose, 27_2_00007FF6C20062CC
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2161BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 36_2_00007FF7E2161BA0
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 36_2_00007FF7E215BE54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9BBE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose, 39_2_00007FF75F9BBE54
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose, 39_2_00007FF75F9C1BA0
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C200A050 memset,CoCreateGuid,GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,CloseHandle,CreateFileW,CloseHandle,CloseHandle, 27_2_00007FF6C200A050
Source: explorer.exe, 00000006.00000000.260976521.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.260976521.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.284855178.000000000E9F0000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.280460232.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.284855178.000000000E9F0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S##
Source: explorer.exe, 00000006.00000000.280460232.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000006.00000000.272262073.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.280460232.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000006.00000000.279397370.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000006.00000000.279397370.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.294097957.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7311728 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 22_2_00007FF7D7311728
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7313D70 GetProcessHeap,HeapFree, 22_2_00007FF7D7313D70
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140048AC0 LdrLoadDll,FindClose, 1_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7313690 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00007FF7D7313690
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7313930 SetUnhandledExceptionFilter, 22_2_00007FF7D7313930
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C2011FB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00007FF6C2011FB4
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Code function: 27_2_00007FF6C2011D30 SetUnhandledExceptionFilter, 27_2_00007FF6C2011D30
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CDD68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF6DC4CDD68
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4CE060 SetUnhandledExceptionFilter, 31_2_00007FF6DC4CE060
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2163140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF7E2163140
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2162B00 SetUnhandledExceptionFilter, 36_2_00007FF7E2162B00
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C2B00 SetUnhandledExceptionFilter, 39_2_00007FF75F9C2B00
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Code function: 39_2_00007FF75F9C3140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_00007FF75F9C3140
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF609422610 SetUnhandledExceptionFilter, 41_2_00007FF609422610
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF60942292C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_00007FF60942292C

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: NETPLWIZ.dll.6.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yPeVDkBY3n.dll',#1 Jump to behavior
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E215AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle, 36_2_00007FF7E215AE50
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Code function: 36_2_00007FF7E2161750 AllocateAndInitializeSid,CheckTokenMembership,RegOpenKeyExW,RegCloseKey,FreeSid, 36_2_00007FF7E2161750
Source: explorer.exe, 00000006.00000000.290073698.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000006.00000000.290073698.0000000001400000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.290073698.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.290073698.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.269794712.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000006.00000000.279397370.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\r4gbgdji\recdisc.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\JaJWNKcB\wermgr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\02vERQ6Eo\wermgr.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: HeapSetInformation,memset,LoadCursorW,GetStockObject,RegisterClassW,GetUserDefaultUILanguage,GetLocaleInfoW,CreateWindowExW,GetLastError,CreateWindowExW,UsersRunDllW,DestroyWindow, 22_2_00007FF7D731286C
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\SbH2\Netplwiz.exe Code function: 22_2_00007FF7D7313AD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 22_2_00007FF7D7313AD0
Source: C:\Users\user\AppData\Local\iBq\rdpinput.exe Code function: 41_2_00007FF60941D63C GetVersionExW, 41_2_00007FF60941D63C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\lW7exk8\phoneactivate.exe Code function: 31_2_00007FF6DC4C1E00 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z, 31_2_00007FF6DC4C1E00
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492878 Sample: yPeVDkBY3n Startdate: 29/09/2021 Architecture: WINDOWS Score: 92 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Dridex unpacked file 2->48 9 loaddll64.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        process5 19 rundll32.exe 11->19         started        signatures6 50 Changes memory attributes in foreign processes to executable or writable 19->50 52 Uses Atom Bombing / ProGate to inject into other processes 19->52 54 Queues an APC in another process (thread injection) 19->54 22 explorer.exe 2 58 19->22 injected process7 file8 34 C:\Users\user\AppData\Local\xnA\dwmapi.dll, PE32+ 22->34 dropped 36 C:\Users\user\AppData\Local\...\ReAgent.dll, PE32+ 22->36 dropped 38 C:\Users\user\AppData\Local\...\DUI70.dll, PE32+ 22->38 dropped 40 15 other files (4 malicious) 22->40 dropped 56 Benign windows process drops PE files 22->56 26 phoneactivate.exe 22->26         started        28 wermgr.exe 22->28         started        30 recdisc.exe 22->30         started        32 9 other processes 22->32 signatures9 process10
No contacted IP infos