Windows Analysis Report 2epPHr8ygJ

Overview

General Information

Sample Name: 2epPHr8ygJ (renamed file extension from none to dll)
Analysis ID: 492879
MD5: 31058530a762dc9f9bb34d28203f5314
SHA1: 28c5d0fc080868ebb37050a565796f19a48eee87
SHA256: 2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 2epPHr8ygJ.dll Metadefender: Detection: 62% Perma Link
Source: 2epPHr8ygJ.dll ReversingLabs: Detection: 80%
Antivirus / Scanner detection for submitted sample
Source: 2epPHr8ygJ.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\29qb\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: 2epPHr8ygJ.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\29qb\MFC42u.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BDF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext, 18_2_00007FF68F2BDF30
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF72944E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset, 33_2_00007FF72944E64C
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF72944E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError, 33_2_00007FF72944E934

Exploits:

barindex
Accesses ntoskrnl, likely to find offsets for exploits
Source: C:\Windows\explorer.exe File opened: C:\Windows\system32\ntkrnlmp.exe Jump to behavior
Source: 2epPHr8ygJ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B2770
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2B7784
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2CA65C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B6720
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2CBD48
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B7C3C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B6494

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1322AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC, 24_2_00007FF6A1322AE8
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B3120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 18_2_00007FF68F2B3120

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.489814069.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.394275962.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.451585055.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.294861665.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.526607967.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.597575856.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034870 0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035270 0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140065B80 0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400524B0 0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026CC0 0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BD40 0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400495B0 0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036F30 0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069010 0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001010 0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066020 0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F840 0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D850 0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064080 0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140010880 0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400688A0 0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D0D0 0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400018D0 0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016100 0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D100 0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A110 0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001D910 0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140015120 0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000B120 0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F940 0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039140 0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023140 0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140057950 0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001E170 0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140002980 0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400611A0 0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A0 0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400381A0 0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E1B0 0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400139D0 0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400319F0 0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA00 0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022A00 0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003B220 0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140067A40 0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140069A50 0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007A60 0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AAC0 0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A2E0 0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140062B00 0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018300 0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002FB20 0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031340 0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022340 0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017B40 0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000BB40 0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EB60 0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005370 0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002CB80 0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B390 0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140054BA0 0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033BB0 0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400263C0 0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400123C0 0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063BD0 0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400663F0 0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023BF0 0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B41B 0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B424 0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B42D 0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B436 0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B43D 0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024440 0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005C40 0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006B446 0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005F490 0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D00 0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140035520 0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019D20 0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030530 0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023530 0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031540 0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033540 0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014007BD50 0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140078570 0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019580 0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205A0 0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025DB0 0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140071DC0 0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000C5C0 0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DDE0 0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DF0 0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000DDF0 0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001620 0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018630 0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032650 0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140064E80 0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140016E80 0_2_0000000140016E80
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B2050 18_2_00007FF68F2B2050
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BC878 18_2_00007FF68F2BC878
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2AC0E4 18_2_00007FF68F2AC0E4
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2A80F8 18_2_00007FF68F2A80F8
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7784 18_2_00007FF68F2B7784
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B37E0 18_2_00007FF68F2B37E0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2C97D8 18_2_00007FF68F2C97D8
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2AA6A4 18_2_00007FF68F2AA6A4
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F295678 18_2_00007FF68F295678
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F299678 18_2_00007FF68F299678
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7F18 18_2_00007FF68F2B7F18
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2AC6FC 18_2_00007FF68F2AC6FC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BAD3C 18_2_00007FF68F2BAD3C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B5DEC 18_2_00007FF68F2B5DEC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CE5CC 18_2_00007FF68F2CE5CC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2AD618 18_2_00007FF68F2AD618
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2D1E04 18_2_00007FF68F2D1E04
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B3440 18_2_00007FF68F2B3440
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CD440 18_2_00007FF68F2CD440
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BCCE8 18_2_00007FF68F2BCCE8
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2AF4DC 18_2_00007FF68F2AF4DC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F297D18 18_2_00007FF68F297D18
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B2360 18_2_00007FF68F2B2360
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F296360 18_2_00007FF68F296360
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F29FB90 18_2_00007FF68F29FB90
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BFBEC 18_2_00007FF68F2BFBEC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BBA58 18_2_00007FF68F2BBA58
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BD25C 18_2_00007FF68F2BD25C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2ACA38 18_2_00007FF68F2ACA38
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2D52B0 18_2_00007FF68F2D52B0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2A6AF0 18_2_00007FF68F2A6AF0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F29BAEC 18_2_00007FF68F29BAEC
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2A2300 18_2_00007FF68F2A2300
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2A6150 18_2_00007FF68F2A6150
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2969B0 18_2_00007FF68F2969B0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BB1A4 18_2_00007FF68F2BB1A4
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2999D8 18_2_00007FF68F2999D8
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2C19B8 18_2_00007FF68F2C19B8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A135C250 24_2_00007FF6A135C250
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13BE2F8 24_2_00007FF6A13BE2F8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1382300 24_2_00007FF6A1382300
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13A8318 24_2_00007FF6A13A8318
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138C330 24_2_00007FF6A138C330
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1392330 24_2_00007FF6A1392330
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1358180 24_2_00007FF6A1358180
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1320220 24_2_00007FF6A1320220
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A132A1BC 24_2_00007FF6A132A1BC
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1342498 24_2_00007FF6A1342498
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13CC464 24_2_00007FF6A13CC464
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A137E510 24_2_00007FF6A137E510
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13084E8 24_2_00007FF6A13084E8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A131C4F4 24_2_00007FF6A131C4F4
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A135A340 24_2_00007FF6A135A340
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1396428 24_2_00007FF6A1396428
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13563C8 24_2_00007FF6A13563C8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A139C3F0 24_2_00007FF6A139C3F0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A131A3F0 24_2_00007FF6A131A3F0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1336690 24_2_00007FF6A1336690
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13906B0 24_2_00007FF6A13906B0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138C72C 24_2_00007FF6A138C72C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A134C6D0 24_2_00007FF6A134C6D0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1370544 24_2_00007FF6A1370544
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1380570 24_2_00007FF6A1380570
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A135A880 24_2_00007FF6A135A880
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13A8900 24_2_00007FF6A13A8900
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1344784 24_2_00007FF6A1344784
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1394810 24_2_00007FF6A1394810
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1312A84 24_2_00007FF6A1312A84
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1354A8C 24_2_00007FF6A1354A8C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1356940 24_2_00007FF6A1356940
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1348A0C 24_2_00007FF6A1348A0C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13AA9D0 24_2_00007FF6A13AA9D0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138AC70 24_2_00007FF6A138AC70
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1374D18 24_2_00007FF6A1374D18
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A131AB3C 24_2_00007FF6A131AB3C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A132AB44 24_2_00007FF6A132AB44
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A136CBE8 24_2_00007FF6A136CBE8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A139CE54 24_2_00007FF6A139CE54
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A139AD78 24_2_00007FF6A139AD78
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138CD50 24_2_00007FF6A138CD50
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1330D50 24_2_00007FF6A1330D50
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13C0E08 24_2_00007FF6A13C0E08
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13A2E28 24_2_00007FF6A13A2E28
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A136504C 24_2_00007FF6A136504C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1334F80 24_2_00007FF6A1334F80
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13A8FA0 24_2_00007FF6A13A8FA0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1340F54 24_2_00007FF6A1340F54
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1374FFC 24_2_00007FF6A1374FFC
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1397000 24_2_00007FF6A1397000
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A132D034 24_2_00007FF6A132D034
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A132D2F8 24_2_00007FF6A132D2F8
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A134731C 24_2_00007FF6A134731C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1341320 24_2_00007FF6A1341320
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13B52C0 24_2_00007FF6A13B52C0
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13132CC 24_2_00007FF6A13132CC
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138F18C 24_2_00007FF6A138F18C
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13C11B4 24_2_00007FF6A13C11B4
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A138B140 24_2_00007FF6A138B140
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9BCDB0 27_2_00007FF74C9BCDB0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9BBF00 27_2_00007FF74C9BBF00
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B4E3C 27_2_00007FF74C9B4E3C
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C5E50 27_2_00007FF74C9C5E50
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B5E54 27_2_00007FF74C9B5E54
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C0FA0 27_2_00007FF74C9C0FA0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C47B0 27_2_00007FF74C9C47B0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9BAF54 27_2_00007FF74C9BAF54
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9CC8A0 27_2_00007FF74C9CC8A0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C8AC0 27_2_00007FF74C9C8AC0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C53BC 27_2_00007FF74C9C53BC
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B2BD0 27_2_00007FF74C9B2BD0
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B2400 27_2_00007FF74C9B2400
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C3348 27_2_00007FF74C9C3348
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C8320 27_2_00007FF74C9C8320
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B8B30 27_2_00007FF74C9B8B30
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9BFB90 27_2_00007FF74C9BFB90
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9CA35C 27_2_00007FF74C9CA35C
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9C2CD8 27_2_00007FF74C9C2CD8
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729449630 33_2_00007FF729449630
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729444648 33_2_00007FF729444648
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF72944E934 33_2_00007FF72944E934
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF7294549FF 33_2_00007FF7294549FF
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF7294519D4 33_2_00007FF7294519D4
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729446BDC 33_2_00007FF729446BDC
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729443FAC 33_2_00007FF729443FAC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: String function: 00007FF729445F34 appears 75 times
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: String function: 00007FF729446124 appears 108 times
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: String function: 00007FF68F294474 appears 37 times
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: String function: 00007FF68F2D410C appears 37 times
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: String function: 00007FF68F29CF60 appears 903 times
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: String function: 00007FF68F29419C appears 54 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729449630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 33_2_00007FF729449630
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140046C90 NtClose, 0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014006A4B0 NtQuerySystemInformation, 0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2C5580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose, 18_2_00007FF68F2C5580
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2C54EC NtQueryInformationToken,NtQueryInformationToken, 18_2_00007FF68F2C54EC
PE file contains strange resources
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: DUI70.dll0.5.dr Static PE information: Number of sections : 51 > 10
Source: 2epPHr8ygJ.dll Static PE information: Number of sections : 50 > 10
Source: DUI70.dll.5.dr Static PE information: Number of sections : 51 > 10
Source: WTSAPI32.dll.5.dr Static PE information: Number of sections : 51 > 10
Source: UxTheme.dll0.5.dr Static PE information: Number of sections : 51 > 10
Source: UxTheme.dll.5.dr Static PE information: Number of sections : 51 > 10
Source: MFC42u.dll.5.dr Static PE information: Number of sections : 51 > 10
Source: OLEACC.dll.5.dr Static PE information: Number of sections : 51 > 10
Source: WTSAPI32.dll0.5.dr Static PE information: Number of sections : 51 > 10
Source: 2epPHr8ygJ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 2epPHr8ygJ.dll Metadefender: Detection: 62%
Source: 2epPHr8ygJ.dll ReversingLabs: Detection: 80%
Source: 2epPHr8ygJ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDLL@47/17@0/0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F29D838 VariantInit,CoCreateInstance,SysAllocString,VariantClear, 18_2_00007FF68F29D838
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9B96F0 LoadLibraryW,GetLastError,FormatMessageW,#1463,CreateWindowExW,GetLastError,FormatMessageW,LocalFree, 27_2_00007FF74C9B96F0
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Mutant created: \Sessions\1\BaseNamedObjects\{6e96cc13-3796-2f23-5ab3-d2d937ee5666}
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Mutant created: \Sessions\1\BaseNamedObjects\{d2e34cc6-e6aa-6365-5632-f8c3222ca63e}
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2C56C4 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree, 18_2_00007FF68F2C56C4
Source: 2epPHr8ygJ.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: 2epPHr8ygJ.dll Static file information: File size 2347008 > 1048576
Source: 2epPHr8ygJ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
PE file contains sections with non-standard names
Source: 2epPHr8ygJ.dll Static PE information: section name: .qkm
Source: 2epPHr8ygJ.dll Static PE information: section name: .cvjb
Source: 2epPHr8ygJ.dll Static PE information: section name: .tlmkv
Source: 2epPHr8ygJ.dll Static PE information: section name: .wucsxe
Source: 2epPHr8ygJ.dll Static PE information: section name: .fltwtj
Source: 2epPHr8ygJ.dll Static PE information: section name: .sfplio
Source: 2epPHr8ygJ.dll Static PE information: section name: .rpg
Source: 2epPHr8ygJ.dll Static PE information: section name: .bewzc
Source: 2epPHr8ygJ.dll Static PE information: section name: .vksvaw
Source: 2epPHr8ygJ.dll Static PE information: section name: .wmhg
Source: 2epPHr8ygJ.dll Static PE information: section name: .kswemc
Source: 2epPHr8ygJ.dll Static PE information: section name: .kaxfk
Source: 2epPHr8ygJ.dll Static PE information: section name: .wualk
Source: 2epPHr8ygJ.dll Static PE information: section name: .qdxz
Source: 2epPHr8ygJ.dll Static PE information: section name: .rkyg
Source: 2epPHr8ygJ.dll Static PE information: section name: .psul
Source: 2epPHr8ygJ.dll Static PE information: section name: .pyjm
Source: 2epPHr8ygJ.dll Static PE information: section name: .eoadme
Source: 2epPHr8ygJ.dll Static PE information: section name: .fnz
Source: 2epPHr8ygJ.dll Static PE information: section name: .gwheg
Source: 2epPHr8ygJ.dll Static PE information: section name: .fcd
Source: 2epPHr8ygJ.dll Static PE information: section name: .dwk
Source: 2epPHr8ygJ.dll Static PE information: section name: .hgy
Source: 2epPHr8ygJ.dll Static PE information: section name: .nfm
Source: 2epPHr8ygJ.dll Static PE information: section name: .qmfqd
Source: 2epPHr8ygJ.dll Static PE information: section name: .buzyfh
Source: 2epPHr8ygJ.dll Static PE information: section name: .piwc
Source: 2epPHr8ygJ.dll Static PE information: section name: .nnrqzz
Source: 2epPHr8ygJ.dll Static PE information: section name: .hycwe
Source: 2epPHr8ygJ.dll Static PE information: section name: .unt
Source: 2epPHr8ygJ.dll Static PE information: section name: .hoj
Source: 2epPHr8ygJ.dll Static PE information: section name: .xufjr
Source: 2epPHr8ygJ.dll Static PE information: section name: .ukllwd
Source: 2epPHr8ygJ.dll Static PE information: section name: .dmpewo
Source: 2epPHr8ygJ.dll Static PE information: section name: .kerz
Source: 2epPHr8ygJ.dll Static PE information: section name: .skdwx
Source: 2epPHr8ygJ.dll Static PE information: section name: .diq
Source: 2epPHr8ygJ.dll Static PE information: section name: .cbuheu
Source: 2epPHr8ygJ.dll Static PE information: section name: .hwca
Source: 2epPHr8ygJ.dll Static PE information: section name: .mkabuo
Source: 2epPHr8ygJ.dll Static PE information: section name: .vstkx
Source: 2epPHr8ygJ.dll Static PE information: section name: .zpzkgm
Source: 2epPHr8ygJ.dll Static PE information: section name: .qkdzqp
Source: 2epPHr8ygJ.dll Static PE information: section name: .arp
Source: WMPDMC.exe.5.dr Static PE information: section name: .didat
Source: CameraSettingsUIHost.exe.5.dr Static PE information: section name: .imrsiv
Source: MDMAppInstaller.exe.5.dr Static PE information: section name: .didat
Source: CameraSettingsUIHost.exe0.5.dr Static PE information: section name: .imrsiv
Source: MDMAppInstaller.exe0.5.dr Static PE information: section name: .didat
Source: UxTheme.dll.5.dr Static PE information: section name: .qkm
Source: UxTheme.dll.5.dr Static PE information: section name: .cvjb
Source: UxTheme.dll.5.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll.5.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll.5.dr Static PE information: section name: .fltwtj
Source: UxTheme.dll.5.dr Static PE information: section name: .sfplio
Source: UxTheme.dll.5.dr Static PE information: section name: .rpg
Source: UxTheme.dll.5.dr Static PE information: section name: .bewzc
Source: UxTheme.dll.5.dr Static PE information: section name: .vksvaw
Source: UxTheme.dll.5.dr Static PE information: section name: .wmhg
Source: UxTheme.dll.5.dr Static PE information: section name: .kswemc
Source: UxTheme.dll.5.dr Static PE information: section name: .kaxfk
Source: UxTheme.dll.5.dr Static PE information: section name: .wualk
Source: UxTheme.dll.5.dr Static PE information: section name: .qdxz
Source: UxTheme.dll.5.dr Static PE information: section name: .rkyg
Source: UxTheme.dll.5.dr Static PE information: section name: .psul
Source: UxTheme.dll.5.dr Static PE information: section name: .pyjm
Source: UxTheme.dll.5.dr Static PE information: section name: .eoadme
Source: UxTheme.dll.5.dr Static PE information: section name: .fnz
Source: UxTheme.dll.5.dr Static PE information: section name: .gwheg
Source: UxTheme.dll.5.dr Static PE information: section name: .fcd
Source: UxTheme.dll.5.dr Static PE information: section name: .dwk
Source: UxTheme.dll.5.dr Static PE information: section name: .hgy
Source: UxTheme.dll.5.dr Static PE information: section name: .nfm
Source: UxTheme.dll.5.dr Static PE information: section name: .qmfqd
Source: UxTheme.dll.5.dr Static PE information: section name: .buzyfh
Source: UxTheme.dll.5.dr Static PE information: section name: .piwc
Source: UxTheme.dll.5.dr Static PE information: section name: .nnrqzz
Source: UxTheme.dll.5.dr Static PE information: section name: .hycwe
Source: UxTheme.dll.5.dr Static PE information: section name: .unt
Source: UxTheme.dll.5.dr Static PE information: section name: .hoj
Source: UxTheme.dll.5.dr Static PE information: section name: .xufjr
Source: UxTheme.dll.5.dr Static PE information: section name: .ukllwd
Source: UxTheme.dll.5.dr Static PE information: section name: .dmpewo
Source: UxTheme.dll.5.dr Static PE information: section name: .kerz
Source: UxTheme.dll.5.dr Static PE information: section name: .skdwx
Source: UxTheme.dll.5.dr Static PE information: section name: .diq
Source: UxTheme.dll.5.dr Static PE information: section name: .cbuheu
Source: UxTheme.dll.5.dr Static PE information: section name: .hwca
Source: UxTheme.dll.5.dr Static PE information: section name: .mkabuo
Source: UxTheme.dll.5.dr Static PE information: section name: .vstkx
Source: UxTheme.dll.5.dr Static PE information: section name: .zpzkgm
Source: UxTheme.dll.5.dr Static PE information: section name: .qkdzqp
Source: UxTheme.dll.5.dr Static PE information: section name: .arp
Source: UxTheme.dll.5.dr Static PE information: section name: .rlm
Source: OLEACC.dll.5.dr Static PE information: section name: .qkm
Source: OLEACC.dll.5.dr Static PE information: section name: .cvjb
Source: OLEACC.dll.5.dr Static PE information: section name: .tlmkv
Source: OLEACC.dll.5.dr Static PE information: section name: .wucsxe
Source: OLEACC.dll.5.dr Static PE information: section name: .fltwtj
Source: OLEACC.dll.5.dr Static PE information: section name: .sfplio
Source: OLEACC.dll.5.dr Static PE information: section name: .rpg
Source: OLEACC.dll.5.dr Static PE information: section name: .bewzc
Source: OLEACC.dll.5.dr Static PE information: section name: .vksvaw
Source: OLEACC.dll.5.dr Static PE information: section name: .wmhg
Source: OLEACC.dll.5.dr Static PE information: section name: .kswemc
Source: OLEACC.dll.5.dr Static PE information: section name: .kaxfk
Source: OLEACC.dll.5.dr Static PE information: section name: .wualk
Source: OLEACC.dll.5.dr Static PE information: section name: .qdxz
Source: OLEACC.dll.5.dr Static PE information: section name: .rkyg
Source: OLEACC.dll.5.dr Static PE information: section name: .psul
Source: OLEACC.dll.5.dr Static PE information: section name: .pyjm
Source: OLEACC.dll.5.dr Static PE information: section name: .eoadme
Source: OLEACC.dll.5.dr Static PE information: section name: .fnz
Source: OLEACC.dll.5.dr Static PE information: section name: .gwheg
Source: OLEACC.dll.5.dr Static PE information: section name: .fcd
Source: OLEACC.dll.5.dr Static PE information: section name: .dwk
Source: OLEACC.dll.5.dr Static PE information: section name: .hgy
Source: OLEACC.dll.5.dr Static PE information: section name: .nfm
Source: OLEACC.dll.5.dr Static PE information: section name: .qmfqd
Source: OLEACC.dll.5.dr Static PE information: section name: .buzyfh
Source: OLEACC.dll.5.dr Static PE information: section name: .piwc
Source: OLEACC.dll.5.dr Static PE information: section name: .nnrqzz
Source: OLEACC.dll.5.dr Static PE information: section name: .hycwe
Source: OLEACC.dll.5.dr Static PE information: section name: .unt
Source: OLEACC.dll.5.dr Static PE information: section name: .hoj
Source: OLEACC.dll.5.dr Static PE information: section name: .xufjr
Source: OLEACC.dll.5.dr Static PE information: section name: .ukllwd
Source: OLEACC.dll.5.dr Static PE information: section name: .dmpewo
Source: OLEACC.dll.5.dr Static PE information: section name: .kerz
Source: OLEACC.dll.5.dr Static PE information: section name: .skdwx
Source: OLEACC.dll.5.dr Static PE information: section name: .diq
Source: OLEACC.dll.5.dr Static PE information: section name: .cbuheu
Source: OLEACC.dll.5.dr Static PE information: section name: .hwca
Source: OLEACC.dll.5.dr Static PE information: section name: .mkabuo
Source: OLEACC.dll.5.dr Static PE information: section name: .vstkx
Source: OLEACC.dll.5.dr Static PE information: section name: .zpzkgm
Source: OLEACC.dll.5.dr Static PE information: section name: .qkdzqp
Source: OLEACC.dll.5.dr Static PE information: section name: .arp
Source: OLEACC.dll.5.dr Static PE information: section name: .cjy
Source: MFC42u.dll.5.dr Static PE information: section name: .qkm
Source: MFC42u.dll.5.dr Static PE information: section name: .cvjb
Source: MFC42u.dll.5.dr Static PE information: section name: .tlmkv
Source: MFC42u.dll.5.dr Static PE information: section name: .wucsxe
Source: MFC42u.dll.5.dr Static PE information: section name: .fltwtj
Source: MFC42u.dll.5.dr Static PE information: section name: .sfplio
Source: MFC42u.dll.5.dr Static PE information: section name: .rpg
Source: MFC42u.dll.5.dr Static PE information: section name: .bewzc
Source: MFC42u.dll.5.dr Static PE information: section name: .vksvaw
Source: MFC42u.dll.5.dr Static PE information: section name: .wmhg
Source: MFC42u.dll.5.dr Static PE information: section name: .kswemc
Source: MFC42u.dll.5.dr Static PE information: section name: .kaxfk
Source: MFC42u.dll.5.dr Static PE information: section name: .wualk
Source: MFC42u.dll.5.dr Static PE information: section name: .qdxz
Source: MFC42u.dll.5.dr Static PE information: section name: .rkyg
Source: MFC42u.dll.5.dr Static PE information: section name: .psul
Source: MFC42u.dll.5.dr Static PE information: section name: .pyjm
Source: MFC42u.dll.5.dr Static PE information: section name: .eoadme
Source: MFC42u.dll.5.dr Static PE information: section name: .fnz
Source: MFC42u.dll.5.dr Static PE information: section name: .gwheg
Source: MFC42u.dll.5.dr Static PE information: section name: .fcd
Source: MFC42u.dll.5.dr Static PE information: section name: .dwk
Source: MFC42u.dll.5.dr Static PE information: section name: .hgy
Source: MFC42u.dll.5.dr Static PE information: section name: .nfm
Source: MFC42u.dll.5.dr Static PE information: section name: .qmfqd
Source: MFC42u.dll.5.dr Static PE information: section name: .buzyfh
Source: MFC42u.dll.5.dr Static PE information: section name: .piwc
Source: MFC42u.dll.5.dr Static PE information: section name: .nnrqzz
Source: MFC42u.dll.5.dr Static PE information: section name: .hycwe
Source: MFC42u.dll.5.dr Static PE information: section name: .unt
Source: MFC42u.dll.5.dr Static PE information: section name: .hoj
Source: MFC42u.dll.5.dr Static PE information: section name: .xufjr
Source: MFC42u.dll.5.dr Static PE information: section name: .ukllwd
Source: MFC42u.dll.5.dr Static PE information: section name: .dmpewo
Source: MFC42u.dll.5.dr Static PE information: section name: .kerz
Source: MFC42u.dll.5.dr Static PE information: section name: .skdwx
Source: MFC42u.dll.5.dr Static PE information: section name: .diq
Source: MFC42u.dll.5.dr Static PE information: section name: .cbuheu
Source: MFC42u.dll.5.dr Static PE information: section name: .hwca
Source: MFC42u.dll.5.dr Static PE information: section name: .mkabuo
Source: MFC42u.dll.5.dr Static PE information: section name: .vstkx
Source: MFC42u.dll.5.dr Static PE information: section name: .zpzkgm
Source: MFC42u.dll.5.dr Static PE information: section name: .qkdzqp
Source: MFC42u.dll.5.dr Static PE information: section name: .arp
Source: MFC42u.dll.5.dr Static PE information: section name: .amu
Source: DUI70.dll.5.dr Static PE information: section name: .qkm
Source: DUI70.dll.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll.5.dr Static PE information: section name: .fltwtj
Source: DUI70.dll.5.dr Static PE information: section name: .sfplio
Source: DUI70.dll.5.dr Static PE information: section name: .rpg
Source: DUI70.dll.5.dr Static PE information: section name: .bewzc
Source: DUI70.dll.5.dr Static PE information: section name: .vksvaw
Source: DUI70.dll.5.dr Static PE information: section name: .wmhg
Source: DUI70.dll.5.dr Static PE information: section name: .kswemc
Source: DUI70.dll.5.dr Static PE information: section name: .kaxfk
Source: DUI70.dll.5.dr Static PE information: section name: .wualk
Source: DUI70.dll.5.dr Static PE information: section name: .qdxz
Source: DUI70.dll.5.dr Static PE information: section name: .rkyg
Source: DUI70.dll.5.dr Static PE information: section name: .psul
Source: DUI70.dll.5.dr Static PE information: section name: .pyjm
Source: DUI70.dll.5.dr Static PE information: section name: .eoadme
Source: DUI70.dll.5.dr Static PE information: section name: .fnz
Source: DUI70.dll.5.dr Static PE information: section name: .gwheg
Source: DUI70.dll.5.dr Static PE information: section name: .fcd
Source: DUI70.dll.5.dr Static PE information: section name: .dwk
Source: DUI70.dll.5.dr Static PE information: section name: .hgy
Source: DUI70.dll.5.dr Static PE information: section name: .nfm
Source: DUI70.dll.5.dr Static PE information: section name: .qmfqd
Source: DUI70.dll.5.dr Static PE information: section name: .buzyfh
Source: DUI70.dll.5.dr Static PE information: section name: .piwc
Source: DUI70.dll.5.dr Static PE information: section name: .nnrqzz
Source: DUI70.dll.5.dr Static PE information: section name: .hycwe
Source: DUI70.dll.5.dr Static PE information: section name: .unt
Source: DUI70.dll.5.dr Static PE information: section name: .hoj
Source: DUI70.dll.5.dr Static PE information: section name: .xufjr
Source: DUI70.dll.5.dr Static PE information: section name: .ukllwd
Source: DUI70.dll.5.dr Static PE information: section name: .dmpewo
Source: DUI70.dll.5.dr Static PE information: section name: .kerz
Source: DUI70.dll.5.dr Static PE information: section name: .skdwx
Source: DUI70.dll.5.dr Static PE information: section name: .diq
Source: DUI70.dll.5.dr Static PE information: section name: .cbuheu
Source: DUI70.dll.5.dr Static PE information: section name: .hwca
Source: DUI70.dll.5.dr Static PE information: section name: .mkabuo
Source: DUI70.dll.5.dr Static PE information: section name: .vstkx
Source: DUI70.dll.5.dr Static PE information: section name: .zpzkgm
Source: DUI70.dll.5.dr Static PE information: section name: .qkdzqp
Source: DUI70.dll.5.dr Static PE information: section name: .arp
Source: DUI70.dll.5.dr Static PE information: section name: .burypb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.5.dr Static PE information: section name: .sfplio
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rpg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .bewzc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wmhg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kswemc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .wualk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qdxz
Source: WTSAPI32.dll.5.dr Static PE information: section name: .rkyg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .psul
Source: WTSAPI32.dll.5.dr Static PE information: section name: .pyjm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .eoadme
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fnz
Source: WTSAPI32.dll.5.dr Static PE information: section name: .gwheg
Source: WTSAPI32.dll.5.dr Static PE information: section name: .fcd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dwk
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hgy
Source: WTSAPI32.dll.5.dr Static PE information: section name: .nfm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qmfqd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .buzyfh
Source: WTSAPI32.dll.5.dr Static PE information: section name: .piwc
Source: WTSAPI32.dll.5.dr Static PE information: section name: .nnrqzz
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hycwe
Source: WTSAPI32.dll.5.dr Static PE information: section name: .unt
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hoj
Source: WTSAPI32.dll.5.dr Static PE information: section name: .xufjr
Source: WTSAPI32.dll.5.dr Static PE information: section name: .ukllwd
Source: WTSAPI32.dll.5.dr Static PE information: section name: .dmpewo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .kerz
Source: WTSAPI32.dll.5.dr Static PE information: section name: .skdwx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .diq
Source: WTSAPI32.dll.5.dr Static PE information: section name: .cbuheu
Source: WTSAPI32.dll.5.dr Static PE information: section name: .hwca
Source: WTSAPI32.dll.5.dr Static PE information: section name: .mkabuo
Source: WTSAPI32.dll.5.dr Static PE information: section name: .vstkx
Source: WTSAPI32.dll.5.dr Static PE information: section name: .zpzkgm
Source: WTSAPI32.dll.5.dr Static PE information: section name: .qkdzqp
Source: WTSAPI32.dll.5.dr Static PE information: section name: .arp
Source: WTSAPI32.dll.5.dr Static PE information: section name: .enn
Source: DUI70.dll0.5.dr Static PE information: section name: .qkm
Source: DUI70.dll0.5.dr Static PE information: section name: .cvjb
Source: DUI70.dll0.5.dr Static PE information: section name: .tlmkv
Source: DUI70.dll0.5.dr Static PE information: section name: .wucsxe
Source: DUI70.dll0.5.dr Static PE information: section name: .fltwtj
Source: DUI70.dll0.5.dr Static PE information: section name: .sfplio
Source: DUI70.dll0.5.dr Static PE information: section name: .rpg
Source: DUI70.dll0.5.dr Static PE information: section name: .bewzc
Source: DUI70.dll0.5.dr Static PE information: section name: .vksvaw
Source: DUI70.dll0.5.dr Static PE information: section name: .wmhg
Source: DUI70.dll0.5.dr Static PE information: section name: .kswemc
Source: DUI70.dll0.5.dr Static PE information: section name: .kaxfk
Source: DUI70.dll0.5.dr Static PE information: section name: .wualk
Source: DUI70.dll0.5.dr Static PE information: section name: .qdxz
Source: DUI70.dll0.5.dr Static PE information: section name: .rkyg
Source: DUI70.dll0.5.dr Static PE information: section name: .psul
Source: DUI70.dll0.5.dr Static PE information: section name: .pyjm
Source: DUI70.dll0.5.dr Static PE information: section name: .eoadme
Source: DUI70.dll0.5.dr Static PE information: section name: .fnz
Source: DUI70.dll0.5.dr Static PE information: section name: .gwheg
Source: DUI70.dll0.5.dr Static PE information: section name: .fcd
Source: DUI70.dll0.5.dr Static PE information: section name: .dwk
Source: DUI70.dll0.5.dr Static PE information: section name: .hgy
Source: DUI70.dll0.5.dr Static PE information: section name: .nfm
Source: DUI70.dll0.5.dr Static PE information: section name: .qmfqd
Source: DUI70.dll0.5.dr Static PE information: section name: .buzyfh
Source: DUI70.dll0.5.dr Static PE information: section name: .piwc
Source: DUI70.dll0.5.dr Static PE information: section name: .nnrqzz
Source: DUI70.dll0.5.dr Static PE information: section name: .hycwe
Source: DUI70.dll0.5.dr Static PE information: section name: .unt
Source: DUI70.dll0.5.dr Static PE information: section name: .hoj
Source: DUI70.dll0.5.dr Static PE information: section name: .xufjr
Source: DUI70.dll0.5.dr Static PE information: section name: .ukllwd
Source: DUI70.dll0.5.dr Static PE information: section name: .dmpewo
Source: DUI70.dll0.5.dr Static PE information: section name: .kerz
Source: DUI70.dll0.5.dr Static PE information: section name: .skdwx
Source: DUI70.dll0.5.dr Static PE information: section name: .diq
Source: DUI70.dll0.5.dr Static PE information: section name: .cbuheu
Source: DUI70.dll0.5.dr Static PE information: section name: .hwca
Source: DUI70.dll0.5.dr Static PE information: section name: .mkabuo
Source: DUI70.dll0.5.dr Static PE information: section name: .vstkx
Source: DUI70.dll0.5.dr Static PE information: section name: .zpzkgm
Source: DUI70.dll0.5.dr Static PE information: section name: .qkdzqp
Source: DUI70.dll0.5.dr Static PE information: section name: .arp
Source: DUI70.dll0.5.dr Static PE information: section name: .bzhioz
Source: UxTheme.dll0.5.dr Static PE information: section name: .qkm
Source: UxTheme.dll0.5.dr Static PE information: section name: .cvjb
Source: UxTheme.dll0.5.dr Static PE information: section name: .tlmkv
Source: UxTheme.dll0.5.dr Static PE information: section name: .wucsxe
Source: UxTheme.dll0.5.dr Static PE information: section name: .fltwtj
Source: UxTheme.dll0.5.dr Static PE information: section name: .sfplio
Source: UxTheme.dll0.5.dr Static PE information: section name: .rpg
Source: UxTheme.dll0.5.dr Static PE information: section name: .bewzc
Source: UxTheme.dll0.5.dr Static PE information: section name: .vksvaw
Source: UxTheme.dll0.5.dr Static PE information: section name: .wmhg
Source: UxTheme.dll0.5.dr Static PE information: section name: .kswemc
Source: UxTheme.dll0.5.dr Static PE information: section name: .kaxfk
Source: UxTheme.dll0.5.dr Static PE information: section name: .wualk
Source: UxTheme.dll0.5.dr Static PE information: section name: .qdxz
Source: UxTheme.dll0.5.dr Static PE information: section name: .rkyg
Source: UxTheme.dll0.5.dr Static PE information: section name: .psul
Source: UxTheme.dll0.5.dr Static PE information: section name: .pyjm
Source: UxTheme.dll0.5.dr Static PE information: section name: .eoadme
Source: UxTheme.dll0.5.dr Static PE information: section name: .fnz
Source: UxTheme.dll0.5.dr Static PE information: section name: .gwheg
Source: UxTheme.dll0.5.dr Static PE information: section name: .fcd
Source: UxTheme.dll0.5.dr Static PE information: section name: .dwk
Source: UxTheme.dll0.5.dr Static PE information: section name: .hgy
Source: UxTheme.dll0.5.dr Static PE information: section name: .nfm
Source: UxTheme.dll0.5.dr Static PE information: section name: .qmfqd
Source: UxTheme.dll0.5.dr Static PE information: section name: .buzyfh
Source: UxTheme.dll0.5.dr Static PE information: section name: .piwc
Source: UxTheme.dll0.5.dr Static PE information: section name: .nnrqzz
Source: UxTheme.dll0.5.dr Static PE information: section name: .hycwe
Source: UxTheme.dll0.5.dr Static PE information: section name: .unt
Source: UxTheme.dll0.5.dr Static PE information: section name: .hoj
Source: UxTheme.dll0.5.dr Static PE information: section name: .xufjr
Source: UxTheme.dll0.5.dr Static PE information: section name: .ukllwd
Source: UxTheme.dll0.5.dr Static PE information: section name: .dmpewo
Source: UxTheme.dll0.5.dr Static PE information: section name: .kerz
Source: UxTheme.dll0.5.dr Static PE information: section name: .skdwx
Source: UxTheme.dll0.5.dr Static PE information: section name: .diq
Source: UxTheme.dll0.5.dr Static PE information: section name: .cbuheu
Source: UxTheme.dll0.5.dr Static PE information: section name: .hwca
Source: UxTheme.dll0.5.dr Static PE information: section name: .mkabuo
Source: UxTheme.dll0.5.dr Static PE information: section name: .vstkx
Source: UxTheme.dll0.5.dr Static PE information: section name: .zpzkgm
Source: UxTheme.dll0.5.dr Static PE information: section name: .qkdzqp
Source: UxTheme.dll0.5.dr Static PE information: section name: .arp
Source: UxTheme.dll0.5.dr Static PE information: section name: .dtzmlx
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qkm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .sfplio
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .rpg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .bewzc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .vksvaw
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wmhg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kswemc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kaxfk
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .wualk
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qdxz
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .rkyg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .psul
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .pyjm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .eoadme
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fnz
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .gwheg
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fcd
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .dwk
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .hgy
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .nfm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qmfqd
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .buzyfh
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .piwc
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .nnrqzz
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .hycwe
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .unt
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .hoj
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .xufjr
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .ukllwd
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .dmpewo
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .kerz
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .skdwx
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .diq
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .cbuheu
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .hwca
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .mkabuo
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .vstkx
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .zpzkgm
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .qkdzqp
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .arp
Source: WTSAPI32.dll0.5.dr Static PE information: section name: .fvbg
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress, 24_2_00007FF6A1398404
PE file contains an invalid checksum
Source: DUI70.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x290845
Source: 2epPHr8ygJ.dll Static PE information: real checksum: 0x7d786c40 should be: 0x244206
Source: DUI70.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x28c253
Source: WTSAPI32.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x23e442
Source: UxTheme.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x240d62
Source: UxTheme.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x244584
Source: MFC42u.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x250c17
Source: OLEACC.dll.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x24602e
Source: WTSAPI32.dll0.5.dr Static PE information: real checksum: 0x7d786c40 should be: 0x23f518
Binary contains a suspicious time stamp
Source: msdt.exe.5.dr Static PE information: 0xFF860234 [Fri Nov 6 17:41:08 2105 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\29qb\MFC42u.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YVP8cq\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\n7Is\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\n7Is\SnippingTool.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\p1G0zp\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EPV\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1327020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow, 24_2_00007FF6A1327020
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9CAD40 SetForegroundWindow,IsIconic,#6632, 27_2_00007FF74C9CAD40
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6108 Thread sleep count: 34 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005C340 GetSystemInfo, 0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005D290 FindFirstFileExW, 0_2_000000014005D290
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B2770
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2B7784
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2CA65C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B6720
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_00007FF68F2CBD48
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B7C3C
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 18_2_00007FF68F2B6494
Source: explorer.exe, 00000005.00000000.356856219.0000000000B7D000.00000004.00000020.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729442890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 33_2_00007FF729442890
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress, 24_2_00007FF6A1398404
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BC070 GetProcessHeap,HeapFree, 18_2_00007FF68F2BC070
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose, 0_2_0000000140048AC0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2D5E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF68F2D5E58
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2D6140 SetUnhandledExceptionFilter, 18_2_00007FF68F2D6140
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A13DA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF6A13DA9E4
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9CF570 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00007FF74C9CF570
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: 27_2_00007FF74C9CF960 SetUnhandledExceptionFilter, 27_2_00007FF74C9CF960
Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Code function: 31_2_00007FF7EAC335B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF7EAC335B4
Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Code function: 31_2_00007FF7EAC33330 SetUnhandledExceptionFilter, 31_2_00007FF7EAC33330
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729453DF0 SetUnhandledExceptionFilter, 33_2_00007FF729453DF0
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Code function: 33_2_00007FF729453BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF729453BA4

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: UxTheme.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F29FF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError, 18_2_00007FF68F29FF54
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 Jump to behavior
Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.340115746.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx, 27_2_00007FF74C9CBB04
Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe Code function: GetLocaleInfoW, 27_2_00007FF74C9B5218
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2BA0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree, 18_2_00007FF68F2BA0D0
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F2B9BE4 GetSystemTime, 18_2_00007FF68F2B9BE4
Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe Code function: 24_2_00007FF6A132C718 memset,GetVersionExW, 24_2_00007FF6A132C718
Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe Code function: 18_2_00007FF68F297970 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree, 18_2_00007FF68F297970
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492879 Sample: 2epPHr8ygJ Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 53 Changes memory attributes in foreign processes to executable or writable 10->53 55 Uses Atom Bombing / ProGate to inject into other processes 10->55 57 Queues an APC in another process (thread injection) 10->57 19 explorer.exe 3 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 13 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 51 Accesses ntoskrnl, likely to find offsets for exploits 19->51 25 CameraSettingsUIHost.exe 19->25         started        27 FXSCOVER.exe 19->27         started        29 WMPDMC.exe 19->29         started        31 11 other processes 19->31 signatures8 process9
No contacted IP infos