Windows Analysis Report
dpnhupnp.dll

Overview

General Information

Sample Name: dpnhupnp.dll
Analysis ID: 579430
MD5: cf22fca6a1c8035cb38867787f16be21
SHA1: 85cae7532a21983295a2c0aad5889e8dbd024c9f
SHA256: 3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c
Tags: dlldridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Uses a Windows Living Off The Land Binaries (LOL bins)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: dpnhupnp.dll Virustotal: Detection: 65% Perma Link
Source: dpnhupnp.dll Metadefender: Detection: 62% Perma Link
Source: dpnhupnp.dll ReversingLabs: Detection: 83%
Source: dpnhupnp.dll Avira: detected
Source: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: dpnhupnp.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\96P3D\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775508534 CryptDestroyHash,CryptReleaseContext, 24_2_00007FF775508534
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775508610 CryptGetHashParam,memset, 24_2_00007FF775508610
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775508598 CryptAcquireContextW,CryptCreateHash, 24_2_00007FF775508598
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755088F8 CryptHashData, 24_2_00007FF7755088F8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550874C CryptHashData, 24_2_00007FF77550874C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EDF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext, 32_2_00007FF7299EDF30
Source: dpnhupnp.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe.6.dr
Source: Binary string: tabcal.pdbGCTL source: tabcal.exe.6.dr
Source: Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source: Binary string: PresentationHost.pdb source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source: Binary string: cmstp.pdb source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source: Binary string: DisplaySwitch.pdbGCTL source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source: Binary string: tabcal.pdb source: tabcal.exe.6.dr
Source: Binary string: msdt.pdb source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source: Binary string: DisplaySwitch.pdb source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe.6.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA3ED10 FindFirstFileExW, 0_2_00007FFC6FA3ED10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E7C3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E6494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299FA65C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299FBD48
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E6720
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E2770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2FED10 FindFirstFileExW, 32_2_00007FFC6E2FED10
Source: explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000000.313547112.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.293192524.000000000EE50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.326336701.000000000EE50000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
Source: unknown DNS traffic detected: queries for: store-images.s-microsoft.com
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754CFC50 RegisterRawInputDevices, 24_2_00007FF7754CFC50
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD5E1C GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetAsyncKeyState, 20_2_00007FF701BD5E1C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E3120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 32_2_00007FF7299E3120

E-Banking Fraud

barindex
Source: Yara match File source: 35.2.cmstp.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.PresentationHost.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.DisplaySwitch.exe.7ffc6f9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.GamePanel.exe.7ffc6f9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.msdt.exe.7ffc6e2a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffc6f9e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.cmstp.exe.7ffc7c2f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.278695271.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357902587.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.424452492.00007FFC6F9E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.392236668.00007FFC6F9E1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.463842556.00007FFC6E2A1000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.491431291.00007FFC7C2F1000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.520892941.00007FFC7C2F1000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298715660.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.548047896.00007FFC7C2F1000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.293533164.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.285131581.00007FFC6F9E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA15020 0_2_00007FFC6FA15020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA297D0 0_2_00007FFC6FA297D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA47650 0_2_00007FFC6FA47650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA3DDC0 0_2_00007FFC6FA3DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4D520 0_2_00007FFC6FA4D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA2A2C0 0_2_00007FFC6FA2A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA1AA70 0_2_00007FFC6FA1AA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA2CA50 0_2_00007FFC6FA2CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA159F0 0_2_00007FFC6FA159F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA33150 0_2_00007FFC6FA33150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA07880 0_2_00007FFC6FA07880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0C030 0_2_00007FFC6FA0C030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA10020 0_2_00007FFC6FA10020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA04800 0_2_00007FFC6FA04800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E1010 0_2_00007FFC6F9E1010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA1F870 0_2_00007FFC6FA1F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA2F870 0_2_00007FFC6FA2F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA35840 0_2_00007FFC6FA35840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA05050 0_2_00007FFC6FA05050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0E7B0 0_2_00007FFC6FA0E7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA5B7A0 0_2_00007FFC6FA5B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4C780 0_2_00007FFC6FA4C780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA5EF80 0_2_00007FFC6FA5EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E6790 0_2_00007FFC6F9E6790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA54FF0 0_2_00007FFC6FA54FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA06FE0 0_2_00007FFC6FA06FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F8FC0 0_2_00007FFC6F9F8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9FA7D0 0_2_00007FFC6F9FA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA40F30 0_2_00007FFC6FA40F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0872B 0_2_00007FFC6FA0872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA5BF6F 0_2_00007FFC6FA5BF6F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA40770 0_2_00007FFC6FA40770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA45760 0_2_00007FFC6FA45760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9FE770 0_2_00007FFC6F9FE770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA02F50 0_2_00007FFC6FA02F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4A6B0 0_2_00007FFC6FA4A6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0F6B0 0_2_00007FFC6FA0F6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA106A0 0_2_00007FFC6FA106A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E7E80 0_2_00007FFC6F9E7E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E6E90 0_2_00007FFC6F9E6E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA47EC0 0_2_00007FFC6FA47EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E1620 0_2_00007FFC6F9E1620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9EDE20 0_2_00007FFC6F9EDE20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA12E10 0_2_00007FFC6FA12E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA03610 0_2_00007FFC6FA03610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F8670 0_2_00007FFC6F9F8670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA30650 0_2_00007FFC6FA30650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9EC5A0 0_2_00007FFC6F9EC5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F65E0 0_2_00007FFC6F9F65E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F95C0 0_2_00007FFC6F9F95C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA125C0 0_2_00007FFC6FA125C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA11D30 0_2_00007FFC6FA11D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA10D10 0_2_00007FFC6FA10D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F9D70 0_2_00007FFC6F9F9D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0D550 0_2_00007FFC6FA0D550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA03D50 0_2_00007FFC6FA03D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E4AD 0_2_00007FFC6FA4E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E4B6 0_2_00007FFC6FA4E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E49D 0_2_00007FFC6FA4E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA42CA0 0_2_00007FFC6FA42CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E4A6 0_2_00007FFC6FA4E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4A490 0_2_00007FFC6FA4A490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E494 0_2_00007FFC6FA4E494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0AC80 0_2_00007FFC6FA0AC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E48B 0_2_00007FFC6FA4E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA13CF0 0_2_00007FFC6FA13CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA15CD0 0_2_00007FFC6FA15CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F3CD0 0_2_00007FFC6F9F3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E5C20 0_2_00007FFC6F9E5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F5420 0_2_00007FFC6F9F5420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA49410 0_2_00007FFC6FA49410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4E400 0_2_00007FFC6FA4E400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F7410 0_2_00007FFC6F9F7410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA44390 0_2_00007FFC6FA44390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F23F0 0_2_00007FFC6F9F23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA34BC0 0_2_00007FFC6FA34BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA11B30 0_2_00007FFC6FA11B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9EBB20 0_2_00007FFC6F9EBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0A310 0_2_00007FFC6FA0A310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA10300 0_2_00007FFC6FA10300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA14360 0_2_00007FFC6FA14360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA45B50 0_2_00007FFC6FA45B50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA03340 0_2_00007FFC6FA03340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F8340 0_2_00007FFC6F9F8340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E5350 0_2_00007FFC6F9E5350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA482A0 0_2_00007FFC6FA482A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4AAA0 0_2_00007FFC6FA4AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0DAA0 0_2_00007FFC6FA0DAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA47AF0 0_2_00007FFC6FA47AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA082E0 0_2_00007FFC6FA082E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA1BAE0 0_2_00007FFC6FA1BAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA42AE0 0_2_00007FFC6FA42AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA092C0 0_2_00007FFC6FA092C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA3F2C0 0_2_00007FFC6FA3F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4B260 0_2_00007FFC6FA4B260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA1B250 0_2_00007FFC6FA1B250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E7A40 0_2_00007FFC6F9E7A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0E9A0 0_2_00007FFC6FA0E9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9FE9B0 0_2_00007FFC6F9FE9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA011B0 0_2_00007FFC6FA011B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA19990 0_2_00007FFC6FA19990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E2980 0_2_00007FFC6F9E2980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA0F1F0 0_2_00007FFC6FA0F1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA191F0 0_2_00007FFC6FA191F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA189F0 0_2_00007FFC6FA189F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA121D0 0_2_00007FFC6FA121D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA069C0 0_2_00007FFC6FA069C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA16130 0_2_00007FFC6FA16130
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9EB100 0_2_00007FFC6F9EB100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9FE110 0_2_00007FFC6F9FE110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA03910 0_2_00007FFC6FA03910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4B960 0_2_00007FFC6FA4B960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA46950 0_2_00007FFC6FA46950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA04140 0_2_00007FFC6FA04140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9F08B0 0_2_00007FFC6F9F08B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9FD890 0_2_00007FFC6F9FD890
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6F9E18D0 0_2_00007FFC6F9E18D0
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD4EC8 20_2_00007FF701BD4EC8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE1670 20_2_00007FF701BE1670
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BC1250 20_2_00007FF701BC1250
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BCB24C 20_2_00007FF701BCB24C
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD41D8 20_2_00007FF701BD41D8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BCFCD8 20_2_00007FF701BCFCD8
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD740C 20_2_00007FF701BD740C
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE13B0 20_2_00007FF701BE13B0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550D6B0 24_2_00007FF77550D6B0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553D788 24_2_00007FF77553D788
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554D7A2 24_2_00007FF77554D7A2
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754D3260 24_2_00007FF7754D3260
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77551B26C 24_2_00007FF77551B26C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754D72C8 24_2_00007FF7754D72C8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775535190 24_2_00007FF775535190
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553B14C 24_2_00007FF77553B14C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77552B124 24_2_00007FF77552B124
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775547460 24_2_00007FF775547460
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754F9484 24_2_00007FF7754F9484
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550B454 24_2_00007FF77550B454
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553137C 24_2_00007FF77553137C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550BE58 24_2_00007FF77550BE58
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775515F08 24_2_00007FF775515F08
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754A3D38 24_2_00007FF7754A3D38
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754AA058 24_2_00007FF7754AA058
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553BF88 24_2_00007FF77553BF88
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554BFEC 24_2_00007FF77554BFEC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775537A20 24_2_00007FF775537A20
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775511AD4 24_2_00007FF775511AD4
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754AB928 24_2_00007FF7754AB928
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77552F920 24_2_00007FF77552F920
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775517A00 24_2_00007FF775517A00
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554FC59 24_2_00007FF77554FC59
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754DDC44 24_2_00007FF7754DDC44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77552BD14 24_2_00007FF77552BD14
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554DB6C 24_2_00007FF77554DB6C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775510644 24_2_00007FF775510644
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775500620 24_2_00007FF775500620
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754DE560 24_2_00007FF7754DE560
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754F253C 24_2_00007FF7754F253C
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755445E0 24_2_00007FF7755445E0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550A5D0 24_2_00007FF77550A5D0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755048C0 24_2_00007FF7755048C0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775540728 24_2_00007FF775540728
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754AA7EC 24_2_00007FF7754AA7EC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755547E5 24_2_00007FF7755547E5
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754B9AF0 24_2_00007FF7754B9AF0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754AE7FC 24_2_00007FF7754AE7FC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754CE224 24_2_00007FF7754CE224
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754EA250 24_2_00007FF7754EA250
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77552C2D8 24_2_00007FF77552C2D8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754E21AC 24_2_00007FF7754E21AC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775524198 24_2_00007FF775524198
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755221AC 24_2_00007FF7755221AC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754D43B8 24_2_00007FF7754D43B8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553EE40 24_2_00007FF77553EE40
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754F8F14 24_2_00007FF7754F8F14
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77552ED90 24_2_00007FF77552ED90
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775524DD0 24_2_00007FF775524DD0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553D010 24_2_00007FF77553D010
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550AFF0 24_2_00007FF77550AFF0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754F6948 24_2_00007FF7754F6948
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7755089F4 24_2_00007FF7755089F4
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77553A998 24_2_00007FF77553A998
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775530C44 24_2_00007FF775530C44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77550CCFC 24_2_00007FF77550CCFC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754C4CDC 24_2_00007FF7754C4CDC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754DED00 24_2_00007FF7754DED00
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF729A052B0 32_2_00007FF729A052B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299D2300 32_2_00007FF7299D2300
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299D6AF0 32_2_00007FF7299D6AF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299CBAEC 32_2_00007FF7299CBAEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DCA38 32_2_00007FF7299DCA38
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299ED25C 32_2_00007FF7299ED25C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EBA58 32_2_00007FF7299EBA58
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299F19B8 32_2_00007FF7299F19B8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EB1A4 32_2_00007FF7299EB1A4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C69B0 32_2_00007FF7299C69B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C99D8 32_2_00007FF7299C99D8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299D6150 32_2_00007FF7299D6150
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DF4DC 32_2_00007FF7299DF4DC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299ECCE8 32_2_00007FF7299ECCE8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E3440 32_2_00007FF7299E3440
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FD440 32_2_00007FF7299FD440
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EFBEC 32_2_00007FF7299EFBEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299CFB90 32_2_00007FF7299CFB90
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C6360 32_2_00007FF7299C6360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E2360 32_2_00007FF7299E2360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DA6A4 32_2_00007FF7299DA6A4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DC6FC 32_2_00007FF7299DC6FC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DD618 32_2_00007FF7299DD618
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C5678 32_2_00007FF7299C5678
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C9678 32_2_00007FF7299C9678
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FE5CC 32_2_00007FF7299FE5CC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF729A01E04 32_2_00007FF729A01E04
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E5DEC 32_2_00007FF7299E5DEC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EAD3C 32_2_00007FF7299EAD3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299C7D18 32_2_00007FF7299C7D18
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299D80F8 32_2_00007FF7299D80F8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299DC0E4 32_2_00007FF7299DC0E4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E2050 32_2_00007FF7299E2050
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EC878 32_2_00007FF7299EC878
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E37E0 32_2_00007FF7299E37E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299F97D8 32_2_00007FF7299F97D8
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7F18 32_2_00007FF7299E7F18
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7784 32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2E97D0 32_2_00007FFC6E2E97D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D5020 32_2_00007FFC6E2D5020
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D5CD0 32_2_00007FFC6E2D5CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30D520 32_2_00007FFC6E30D520
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2FDDC0 32_2_00007FFC6E2FDDC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E307650 32_2_00007FFC6E307650
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DBAE0 32_2_00007FFC6E2DBAE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2EA2C0 32_2_00007FFC6E2EA2C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C7880 32_2_00007FFC6E2C7880
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F3150 32_2_00007FFC6E2F3150
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D59F0 32_2_00007FFC6E2D59F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DAA70 32_2_00007FFC6E2DAA70
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2ECA50 32_2_00007FFC6E2ECA50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CF6B0 32_2_00007FFC6E2CF6B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D06A0 32_2_00007FFC6E2D06A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A6E90 32_2_00007FFC6E2A6E90
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A7E80 32_2_00007FFC6E2A7E80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30A6B0 32_2_00007FFC6E30A6B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E307EC0 32_2_00007FFC6E307EC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E300F30 32_2_00007FFC6E300F30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C872B 32_2_00007FFC6E2C872B
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31BF6F 32_2_00007FFC6E31BF6F
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E300770 32_2_00007FFC6E300770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2BE770 32_2_00007FFC6E2BE770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E305760 32_2_00007FFC6E305760
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C2F50 32_2_00007FFC6E2C2F50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CE7B0 32_2_00007FFC6E2CE7B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A6790 32_2_00007FFC6E2A6790
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E314FF0 32_2_00007FFC6E314FF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30C780 32_2_00007FFC6E30C780
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31EF80 32_2_00007FFC6E31EF80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C6FE0 32_2_00007FFC6E2C6FE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31B7A0 32_2_00007FFC6E31B7A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2BA7D0 32_2_00007FFC6E2BA7D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B8FC0 32_2_00007FFC6E2B8FC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CC030 32_2_00007FFC6E2CC030
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D0020 32_2_00007FFC6E2D0020
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A1010 32_2_00007FFC6E2A1010
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C4800 32_2_00007FFC6E2C4800
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DF870 32_2_00007FFC6E2DF870
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2EF870 32_2_00007FFC6E2EF870
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E320820 32_2_00007FFC6E320820
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C5050 32_2_00007FFC6E2C5050
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F5840 32_2_00007FFC6E2F5840
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E302CA0 32_2_00007FFC6E302CA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CAC80 32_2_00007FFC6E2CAC80
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D3CF0 32_2_00007FFC6E2D3CF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E48B 32_2_00007FFC6E30E48B
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30A490 32_2_00007FFC6E30A490
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E494 32_2_00007FFC6E30E494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E49D 32_2_00007FFC6E30E49D
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E4A6 32_2_00007FFC6E30E4A6
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B3CD0 32_2_00007FFC6E2B3CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E4AD 32_2_00007FFC6E30E4AD
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E4B6 32_2_00007FFC6E30E4B6
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D1D30 32_2_00007FFC6E2D1D30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F8D20 32_2_00007FFC6E2F8D20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D0D10 32_2_00007FFC6E2D0D10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B9D70 32_2_00007FFC6E2B9D70
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CD550 32_2_00007FFC6E2CD550
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C3D50 32_2_00007FFC6E2C3D50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2AC5A0 32_2_00007FFC6E2AC5A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31C590 32_2_00007FFC6E31C590
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B65E0 32_2_00007FFC6E2B65E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D25C0 32_2_00007FFC6E2D25C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B95C0 32_2_00007FFC6E2B95C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A1620 32_2_00007FFC6E2A1620
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2ADE20 32_2_00007FFC6E2ADE20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D2E10 32_2_00007FFC6E2D2E10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C3610 32_2_00007FFC6E2C3610
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B8670 32_2_00007FFC6E2B8670
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F0650 32_2_00007FFC6E2F0650
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CDAA0 32_2_00007FFC6E2CDAA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E307AF0 32_2_00007FFC6E307AF0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C82E0 32_2_00007FFC6E2C82E0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E302AE0 32_2_00007FFC6E302AE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E3082A0 32_2_00007FFC6E3082A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30AAA0 32_2_00007FFC6E30AAA0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C92C0 32_2_00007FFC6E2C92C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F22C0 32_2_00007FFC6E2F22C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2FF2C0 32_2_00007FFC6E2FF2C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D1B30 32_2_00007FFC6E2D1B30
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2ABB20 32_2_00007FFC6E2ABB20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CA310 32_2_00007FFC6E2CA310
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D0300 32_2_00007FFC6E2D0300
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D4360 32_2_00007FFC6E2D4360
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E305B50 32_2_00007FFC6E305B50
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A5350 32_2_00007FFC6E2A5350
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C3340 32_2_00007FFC6E2C3340
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B8340 32_2_00007FFC6E2B8340
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E304390 32_2_00007FFC6E304390
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B23F0 32_2_00007FFC6E2B23F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2F4BC0 32_2_00007FFC6E2F4BC0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A5C20 32_2_00007FFC6E2A5C20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B5420 32_2_00007FFC6E2B5420
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B7410 32_2_00007FFC6E2B7410
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30E400 32_2_00007FFC6E30E400
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31FC00 32_2_00007FFC6E31FC00
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E309410 32_2_00007FFC6E309410
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2B08B0 32_2_00007FFC6E2B08B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31C0EB 32_2_00007FFC6E31C0EB
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2BD890 32_2_00007FFC6E2BD890
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A18D0 32_2_00007FFC6E2A18D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31C8B1 32_2_00007FFC6E31C8B1
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D6130 32_2_00007FFC6E2D6130
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30B960 32_2_00007FFC6E30B960
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2BE110 32_2_00007FFC6E2BE110
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C3910 32_2_00007FFC6E2C3910
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2AB100 32_2_00007FFC6E2AB100
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E306950 32_2_00007FFC6E306950
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C4140 32_2_00007FFC6E2C4140
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2BE9B0 32_2_00007FFC6E2BE9B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C11B0 32_2_00007FFC6E2C11B0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CE9A0 32_2_00007FFC6E2CE9A0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D9990 32_2_00007FFC6E2D9990
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A2980 32_2_00007FFC6E2A2980
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2CF1F0 32_2_00007FFC6E2CF1F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D91F0 32_2_00007FFC6E2D91F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D89F0 32_2_00007FFC6E2D89F0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D21D0 32_2_00007FFC6E2D21D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C69C0 32_2_00007FFC6E2C69C0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30B260 32_2_00007FFC6E30B260
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DB250 32_2_00007FFC6E2DB250
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2A7A40 32_2_00007FFC6E2A7A40
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: String function: 00007FF7299C4474 appears 37 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: String function: 00007FF7299C419C appears 54 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: String function: 00007FF7299CCF60 appears 903 times
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: String function: 00007FF729A0410C appears 37 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: String function: 00007FF7754A4D68 appears 192 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: String function: 00007FF7754A32F8 appears 394 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: String function: 00007FF7754A6894 appears 49 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: String function: 00007FF775546AD8 appears 230 times
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: String function: 00007FF7754B62E4 appears 62 times
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA27770 NtClose, 0_2_00007FFC6FA27770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA4D520 NtQuerySystemInformation,RtlAllocateHeap, 0_2_00007FFC6FA4D520
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 24_2_00007FF77554A9CC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775516C44 RtlInitUnicodeString,NtQueryLicenseValue, 24_2_00007FF775516C44
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299F54EC NtQueryInformationToken,NtQueryInformationToken, 32_2_00007FF7299F54EC
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299F5580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose, 32_2_00007FF7299F5580
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2E7770 NtClose, 32_2_00007FFC6E2E7770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2C5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 32_2_00007FFC6E2C5F40
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2D5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 32_2_00007FFC6E2D5CD0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 32_2_00007FFC6E2DC4D0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E30D520 NtQuerySystemInformation, 32_2_00007FFC6E30D520
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DBAE0 NtReadVirtualMemory, 32_2_00007FFC6E2DBAE0
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 32_2_00007FFC6E2DAA70
Source: dpnhupnp.dll Binary or memory string: OriginalFilenamedpnhupnp.dJ vs dpnhupnp.dll
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tabcal.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msdt.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\a6o\PresentationHost.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe Section loaded: kernel34.dll
Source: DUI70.dll.6.dr Static PE information: Number of sections : 55 > 10
Source: WINSTA.dll.6.dr Static PE information: Number of sections : 55 > 10
Source: VERSION.dll1.6.dr Static PE information: Number of sections : 55 > 10
Source: HID.DLL.6.dr Static PE information: Number of sections : 55 > 10
Source: dxgi.dll.6.dr Static PE information: Number of sections : 55 > 10
Source: UxTheme.dll.6.dr Static PE information: Number of sections : 55 > 10
Source: VERSION.dll.6.dr Static PE information: Number of sections : 55 > 10
Source: VERSION.dll0.6.dr Static PE information: Number of sections : 55 > 10
Source: dpnhupnp.dll Static PE information: Number of sections : 54 > 10
Source: dpnhupnp.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HID.DLL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dxgi.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll1.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dpnhupnp.dll Virustotal: Detection: 65%
Source: dpnhupnp.dll Metadefender: Detection: 62%
Source: dpnhupnp.dll ReversingLabs: Detection: 83%
Source: dpnhupnp.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\dpnhupnp.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DisplaySwitch.exe C:\Windows\system32\DisplaySwitch.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe C:\Users\user\AppData\Local\1XXGC21\msdt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationHost.exe C:\Windows\system32\PresentationHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe C:\Users\user\AppData\Local\a6o\PresentationHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoByHandle Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoExA Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DisplaySwitch.exe C:\Windows\system32\DisplaySwitch.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe C:\Users\user\AppData\Local\1XXGC21\msdt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe C:\Users\user\AppData\Local\M4eXJF\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationHost.exe C:\Windows\system32\PresentationHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe C:\Users\user\AppData\Local\a6o\PresentationHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\96P3D\cmstp.exe C:\Users\user\AppData\Local\96P3D\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@43/17@1/0
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BCD6C4 CoCreateInstance,LocalFree,LocalFree, 20_2_00007FF701BCD6C4
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2DCB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First, 32_2_00007FFC6E2DCB00
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dpnhupnp.dll,GetFileVersionInfoA
Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe Mutant created: \Sessions\1\BaseNamedObjects\{1d8c6780-ccd1-3f65-ac44-7ba47b61fe90}
Source: C:\Users\user\AppData\Local\96P3D\cmstp.exe Mutant created: \Sessions\1\BaseNamedObjects\{d8079e48-5f84-d194-c189-b4fffdff4fd6}
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BCE2D8 FindResourceExW,LoadResource,LockResource, 20_2_00007FF701BCE2D8
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: dpnhupnp.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: dpnhupnp.dll Static file information: File size 1064960 > 1048576
Source: dpnhupnp.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe.6.dr
Source: Binary string: tabcal.pdbGCTL source: tabcal.exe.6.dr
Source: Binary string: PresentationHost.pdbGCTL source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source: Binary string: PresentationHost.pdb source: PresentationHost.exe, 00000026.00000002.520780934.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe, 00000026.00000000.496651636.00007FF76ED9F000.00000002.00000001.01000000.0000000F.sdmp, PresentationHost.exe.6.dr
Source: Binary string: cmstp.pdb source: cmstp.exe, 00000023.00000000.468453797.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000023.00000002.491387694.00007FF7DE0BF000.00000002.00000001.01000000.0000000D.sdmp, cmstp.exe, 00000028.00000002.547996060.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe, 00000028.00000000.525056194.00007FF72BE3F000.00000002.00000001.01000000.00000011.sdmp, cmstp.exe.6.dr, cmstp.exe0.6.dr
Source: Binary string: DisplaySwitch.pdbGCTL source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000018.00000000.398666237.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe, 00000018.00000002.423900656.00007FF775557000.00000002.00000001.01000000.00000009.sdmp, GamePanel.exe.6.dr
Source: Binary string: tabcal.pdb source: tabcal.exe.6.dr
Source: Binary string: msdt.pdb source: msdt.exe, 00000020.00000002.463579902.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe, 00000020.00000000.438710187.00007FF729A08000.00000002.00000001.01000000.0000000B.sdmp, msdt.exe.6.dr
Source: Binary string: DisplaySwitch.pdb source: DisplaySwitch.exe, 00000014.00000000.368442640.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe, 00000014.00000002.391524243.00007FF701BE4000.00000002.00000001.01000000.00000007.sdmp, DisplaySwitch.exe.6.dr
Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe.6.dr
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E31D500 push rax; iretd 32_2_00007FFC6E31D501
Source: dpnhupnp.dll Static PE information: section name: .vxl
Source: dpnhupnp.dll Static PE information: section name: .qwubgr
Source: dpnhupnp.dll Static PE information: section name: .eer
Source: dpnhupnp.dll Static PE information: section name: .xwwauf
Source: dpnhupnp.dll Static PE information: section name: .pkc
Source: dpnhupnp.dll Static PE information: section name: .npkda
Source: dpnhupnp.dll Static PE information: section name: .vhs
Source: dpnhupnp.dll Static PE information: section name: .iaywj
Source: dpnhupnp.dll Static PE information: section name: .nasi
Source: dpnhupnp.dll Static PE information: section name: .zhvprh
Source: dpnhupnp.dll Static PE information: section name: .yatdsp
Source: dpnhupnp.dll Static PE information: section name: .njso
Source: dpnhupnp.dll Static PE information: section name: .lgliat
Source: dpnhupnp.dll Static PE information: section name: .ntqjh
Source: dpnhupnp.dll Static PE information: section name: .sucsek
Source: dpnhupnp.dll Static PE information: section name: .qsxjui
Source: dpnhupnp.dll Static PE information: section name: .twctcm
Source: dpnhupnp.dll Static PE information: section name: .nms
Source: dpnhupnp.dll Static PE information: section name: .ogj
Source: dpnhupnp.dll Static PE information: section name: .vrkgb
Source: dpnhupnp.dll Static PE information: section name: .gikfw
Source: dpnhupnp.dll Static PE information: section name: .ktl
Source: dpnhupnp.dll Static PE information: section name: .crcn
Source: dpnhupnp.dll Static PE information: section name: .wtfr
Source: dpnhupnp.dll Static PE information: section name: .hep
Source: dpnhupnp.dll Static PE information: section name: .ywg
Source: dpnhupnp.dll Static PE information: section name: .sqsp
Source: dpnhupnp.dll Static PE information: section name: .tkyonf
Source: dpnhupnp.dll Static PE information: section name: .lmr
Source: dpnhupnp.dll Static PE information: section name: .nmvll
Source: dpnhupnp.dll Static PE information: section name: .uvboq
Source: dpnhupnp.dll Static PE information: section name: .pck
Source: dpnhupnp.dll Static PE information: section name: .cui
Source: dpnhupnp.dll Static PE information: section name: .bjpf
Source: dpnhupnp.dll Static PE information: section name: .tdsza
Source: dpnhupnp.dll Static PE information: section name: .ljyns
Source: dpnhupnp.dll Static PE information: section name: .uvvcd
Source: dpnhupnp.dll Static PE information: section name: .dhcna
Source: dpnhupnp.dll Static PE information: section name: .ntjkji
Source: dpnhupnp.dll Static PE information: section name: .copgfj
Source: dpnhupnp.dll Static PE information: section name: .zmu
Source: dpnhupnp.dll Static PE information: section name: .nqzul
Source: dpnhupnp.dll Static PE information: section name: .qgbg
Source: dpnhupnp.dll Static PE information: section name: .obih
Source: dpnhupnp.dll Static PE information: section name: .igwjz
Source: dpnhupnp.dll Static PE information: section name: .mkzlg
Source: dpnhupnp.dll Static PE information: section name: .ovmzdw
Source: dpnhupnp.dll Static PE information: section name: .rqfw
Source: CloudNotifications.exe.6.dr Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.6.dr Static PE information: section name: .didat
Source: tabcal.exe.6.dr Static PE information: section name: .didat
Source: DisplaySwitch.exe.6.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.6.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.6.dr Static PE information: section name: .didat
Source: VERSION.dll.6.dr Static PE information: section name: .vxl
Source: VERSION.dll.6.dr Static PE information: section name: .qwubgr
Source: VERSION.dll.6.dr Static PE information: section name: .eer
Source: VERSION.dll.6.dr Static PE information: section name: .xwwauf
Source: VERSION.dll.6.dr Static PE information: section name: .pkc
Source: VERSION.dll.6.dr Static PE information: section name: .npkda
Source: VERSION.dll.6.dr Static PE information: section name: .vhs
Source: VERSION.dll.6.dr Static PE information: section name: .iaywj
Source: VERSION.dll.6.dr Static PE information: section name: .nasi
Source: VERSION.dll.6.dr Static PE information: section name: .zhvprh
Source: VERSION.dll.6.dr Static PE information: section name: .yatdsp
Source: VERSION.dll.6.dr Static PE information: section name: .njso
Source: VERSION.dll.6.dr Static PE information: section name: .lgliat
Source: VERSION.dll.6.dr Static PE information: section name: .ntqjh
Source: VERSION.dll.6.dr Static PE information: section name: .sucsek
Source: VERSION.dll.6.dr Static PE information: section name: .qsxjui
Source: VERSION.dll.6.dr Static PE information: section name: .twctcm
Source: VERSION.dll.6.dr Static PE information: section name: .nms
Source: VERSION.dll.6.dr Static PE information: section name: .ogj
Source: VERSION.dll.6.dr Static PE information: section name: .vrkgb
Source: VERSION.dll.6.dr Static PE information: section name: .gikfw
Source: VERSION.dll.6.dr Static PE information: section name: .ktl
Source: VERSION.dll.6.dr Static PE information: section name: .crcn
Source: VERSION.dll.6.dr Static PE information: section name: .wtfr
Source: VERSION.dll.6.dr Static PE information: section name: .hep
Source: VERSION.dll.6.dr Static PE information: section name: .ywg
Source: VERSION.dll.6.dr Static PE information: section name: .sqsp
Source: VERSION.dll.6.dr Static PE information: section name: .tkyonf
Source: VERSION.dll.6.dr Static PE information: section name: .lmr
Source: VERSION.dll.6.dr Static PE information: section name: .nmvll
Source: VERSION.dll.6.dr Static PE information: section name: .uvboq
Source: VERSION.dll.6.dr Static PE information: section name: .pck
Source: VERSION.dll.6.dr Static PE information: section name: .cui
Source: VERSION.dll.6.dr Static PE information: section name: .bjpf
Source: VERSION.dll.6.dr Static PE information: section name: .tdsza
Source: VERSION.dll.6.dr Static PE information: section name: .ljyns
Source: VERSION.dll.6.dr Static PE information: section name: .uvvcd
Source: VERSION.dll.6.dr Static PE information: section name: .dhcna
Source: VERSION.dll.6.dr Static PE information: section name: .ntjkji
Source: VERSION.dll.6.dr Static PE information: section name: .copgfj
Source: VERSION.dll.6.dr Static PE information: section name: .zmu
Source: VERSION.dll.6.dr Static PE information: section name: .nqzul
Source: VERSION.dll.6.dr Static PE information: section name: .qgbg
Source: VERSION.dll.6.dr Static PE information: section name: .obih
Source: VERSION.dll.6.dr Static PE information: section name: .igwjz
Source: VERSION.dll.6.dr Static PE information: section name: .mkzlg
Source: VERSION.dll.6.dr Static PE information: section name: .ovmzdw
Source: VERSION.dll.6.dr Static PE information: section name: .rqfw
Source: VERSION.dll.6.dr Static PE information: section name: .ahr
Source: VERSION.dll0.6.dr Static PE information: section name: .vxl
Source: VERSION.dll0.6.dr Static PE information: section name: .qwubgr
Source: VERSION.dll0.6.dr Static PE information: section name: .eer
Source: VERSION.dll0.6.dr Static PE information: section name: .xwwauf
Source: VERSION.dll0.6.dr Static PE information: section name: .pkc
Source: VERSION.dll0.6.dr Static PE information: section name: .npkda
Source: VERSION.dll0.6.dr Static PE information: section name: .vhs
Source: VERSION.dll0.6.dr Static PE information: section name: .iaywj
Source: VERSION.dll0.6.dr Static PE information: section name: .nasi
Source: VERSION.dll0.6.dr Static PE information: section name: .zhvprh
Source: VERSION.dll0.6.dr Static PE information: section name: .yatdsp
Source: VERSION.dll0.6.dr Static PE information: section name: .njso
Source: VERSION.dll0.6.dr Static PE information: section name: .lgliat
Source: VERSION.dll0.6.dr Static PE information: section name: .ntqjh
Source: VERSION.dll0.6.dr Static PE information: section name: .sucsek
Source: VERSION.dll0.6.dr Static PE information: section name: .qsxjui
Source: VERSION.dll0.6.dr Static PE information: section name: .twctcm
Source: VERSION.dll0.6.dr Static PE information: section name: .nms
Source: VERSION.dll0.6.dr Static PE information: section name: .ogj
Source: VERSION.dll0.6.dr Static PE information: section name: .vrkgb
Source: VERSION.dll0.6.dr Static PE information: section name: .gikfw
Source: VERSION.dll0.6.dr Static PE information: section name: .ktl
Source: VERSION.dll0.6.dr Static PE information: section name: .crcn
Source: VERSION.dll0.6.dr Static PE information: section name: .wtfr
Source: VERSION.dll0.6.dr Static PE information: section name: .hep
Source: VERSION.dll0.6.dr Static PE information: section name: .ywg
Source: VERSION.dll0.6.dr Static PE information: section name: .sqsp
Source: VERSION.dll0.6.dr Static PE information: section name: .tkyonf
Source: VERSION.dll0.6.dr Static PE information: section name: .lmr
Source: VERSION.dll0.6.dr Static PE information: section name: .nmvll
Source: VERSION.dll0.6.dr Static PE information: section name: .uvboq
Source: VERSION.dll0.6.dr Static PE information: section name: .pck
Source: VERSION.dll0.6.dr Static PE information: section name: .cui
Source: VERSION.dll0.6.dr Static PE information: section name: .bjpf
Source: VERSION.dll0.6.dr Static PE information: section name: .tdsza
Source: VERSION.dll0.6.dr Static PE information: section name: .ljyns
Source: VERSION.dll0.6.dr Static PE information: section name: .uvvcd
Source: VERSION.dll0.6.dr Static PE information: section name: .dhcna
Source: VERSION.dll0.6.dr Static PE information: section name: .ntjkji
Source: VERSION.dll0.6.dr Static PE information: section name: .copgfj
Source: VERSION.dll0.6.dr Static PE information: section name: .zmu
Source: VERSION.dll0.6.dr Static PE information: section name: .nqzul
Source: VERSION.dll0.6.dr Static PE information: section name: .qgbg
Source: VERSION.dll0.6.dr Static PE information: section name: .obih
Source: VERSION.dll0.6.dr Static PE information: section name: .igwjz
Source: VERSION.dll0.6.dr Static PE information: section name: .mkzlg
Source: VERSION.dll0.6.dr Static PE information: section name: .ovmzdw
Source: VERSION.dll0.6.dr Static PE information: section name: .rqfw
Source: VERSION.dll0.6.dr Static PE information: section name: .ggmm
Source: UxTheme.dll.6.dr Static PE information: section name: .vxl
Source: UxTheme.dll.6.dr Static PE information: section name: .qwubgr
Source: UxTheme.dll.6.dr Static PE information: section name: .eer
Source: UxTheme.dll.6.dr Static PE information: section name: .xwwauf
Source: UxTheme.dll.6.dr Static PE information: section name: .pkc
Source: UxTheme.dll.6.dr Static PE information: section name: .npkda
Source: UxTheme.dll.6.dr Static PE information: section name: .vhs
Source: UxTheme.dll.6.dr Static PE information: section name: .iaywj
Source: UxTheme.dll.6.dr Static PE information: section name: .nasi
Source: UxTheme.dll.6.dr Static PE information: section name: .zhvprh
Source: UxTheme.dll.6.dr Static PE information: section name: .yatdsp
Source: UxTheme.dll.6.dr Static PE information: section name: .njso
Source: UxTheme.dll.6.dr Static PE information: section name: .lgliat
Source: UxTheme.dll.6.dr Static PE information: section name: .ntqjh
Source: UxTheme.dll.6.dr Static PE information: section name: .sucsek
Source: UxTheme.dll.6.dr Static PE information: section name: .qsxjui
Source: UxTheme.dll.6.dr Static PE information: section name: .twctcm
Source: UxTheme.dll.6.dr Static PE information: section name: .nms
Source: UxTheme.dll.6.dr Static PE information: section name: .ogj
Source: UxTheme.dll.6.dr Static PE information: section name: .vrkgb
Source: UxTheme.dll.6.dr Static PE information: section name: .gikfw
Source: UxTheme.dll.6.dr Static PE information: section name: .ktl
Source: UxTheme.dll.6.dr Static PE information: section name: .crcn
Source: UxTheme.dll.6.dr Static PE information: section name: .wtfr
Source: UxTheme.dll.6.dr Static PE information: section name: .hep
Source: UxTheme.dll.6.dr Static PE information: section name: .ywg
Source: UxTheme.dll.6.dr Static PE information: section name: .sqsp
Source: UxTheme.dll.6.dr Static PE information: section name: .tkyonf
Source: UxTheme.dll.6.dr Static PE information: section name: .lmr
Source: UxTheme.dll.6.dr Static PE information: section name: .nmvll
Source: UxTheme.dll.6.dr Static PE information: section name: .uvboq
Source: UxTheme.dll.6.dr Static PE information: section name: .pck
Source: UxTheme.dll.6.dr Static PE information: section name: .cui
Source: UxTheme.dll.6.dr Static PE information: section name: .bjpf
Source: UxTheme.dll.6.dr Static PE information: section name: .tdsza
Source: UxTheme.dll.6.dr Static PE information: section name: .ljyns
Source: UxTheme.dll.6.dr Static PE information: section name: .uvvcd
Source: UxTheme.dll.6.dr Static PE information: section name: .dhcna
Source: UxTheme.dll.6.dr Static PE information: section name: .ntjkji
Source: UxTheme.dll.6.dr Static PE information: section name: .copgfj
Source: UxTheme.dll.6.dr Static PE information: section name: .zmu
Source: UxTheme.dll.6.dr Static PE information: section name: .nqzul
Source: UxTheme.dll.6.dr Static PE information: section name: .qgbg
Source: UxTheme.dll.6.dr Static PE information: section name: .obih
Source: UxTheme.dll.6.dr Static PE information: section name: .igwjz
Source: UxTheme.dll.6.dr Static PE information: section name: .mkzlg
Source: UxTheme.dll.6.dr Static PE information: section name: .ovmzdw
Source: UxTheme.dll.6.dr Static PE information: section name: .rqfw
Source: UxTheme.dll.6.dr Static PE information: section name: .jrx
Source: HID.DLL.6.dr Static PE information: section name: .vxl
Source: HID.DLL.6.dr Static PE information: section name: .qwubgr
Source: HID.DLL.6.dr Static PE information: section name: .eer
Source: HID.DLL.6.dr Static PE information: section name: .xwwauf
Source: HID.DLL.6.dr Static PE information: section name: .pkc
Source: HID.DLL.6.dr Static PE information: section name: .npkda
Source: HID.DLL.6.dr Static PE information: section name: .vhs
Source: HID.DLL.6.dr Static PE information: section name: .iaywj
Source: HID.DLL.6.dr Static PE information: section name: .nasi
Source: HID.DLL.6.dr Static PE information: section name: .zhvprh
Source: HID.DLL.6.dr Static PE information: section name: .yatdsp
Source: HID.DLL.6.dr Static PE information: section name: .njso
Source: HID.DLL.6.dr Static PE information: section name: .lgliat
Source: HID.DLL.6.dr Static PE information: section name: .ntqjh
Source: HID.DLL.6.dr Static PE information: section name: .sucsek
Source: HID.DLL.6.dr Static PE information: section name: .qsxjui
Source: HID.DLL.6.dr Static PE information: section name: .twctcm
Source: HID.DLL.6.dr Static PE information: section name: .nms
Source: HID.DLL.6.dr Static PE information: section name: .ogj
Source: HID.DLL.6.dr Static PE information: section name: .vrkgb
Source: HID.DLL.6.dr Static PE information: section name: .gikfw
Source: HID.DLL.6.dr Static PE information: section name: .ktl
Source: HID.DLL.6.dr Static PE information: section name: .crcn
Source: HID.DLL.6.dr Static PE information: section name: .wtfr
Source: HID.DLL.6.dr Static PE information: section name: .hep
Source: HID.DLL.6.dr Static PE information: section name: .ywg
Source: HID.DLL.6.dr Static PE information: section name: .sqsp
Source: HID.DLL.6.dr Static PE information: section name: .tkyonf
Source: HID.DLL.6.dr Static PE information: section name: .lmr
Source: HID.DLL.6.dr Static PE information: section name: .nmvll
Source: HID.DLL.6.dr Static PE information: section name: .uvboq
Source: HID.DLL.6.dr Static PE information: section name: .pck
Source: HID.DLL.6.dr Static PE information: section name: .cui
Source: HID.DLL.6.dr Static PE information: section name: .bjpf
Source: HID.DLL.6.dr Static PE information: section name: .tdsza
Source: HID.DLL.6.dr Static PE information: section name: .ljyns
Source: HID.DLL.6.dr Static PE information: section name: .uvvcd
Source: HID.DLL.6.dr Static PE information: section name: .dhcna
Source: HID.DLL.6.dr Static PE information: section name: .ntjkji
Source: HID.DLL.6.dr Static PE information: section name: .copgfj
Source: HID.DLL.6.dr Static PE information: section name: .zmu
Source: HID.DLL.6.dr Static PE information: section name: .nqzul
Source: HID.DLL.6.dr Static PE information: section name: .qgbg
Source: HID.DLL.6.dr Static PE information: section name: .obih
Source: HID.DLL.6.dr Static PE information: section name: .igwjz
Source: HID.DLL.6.dr Static PE information: section name: .mkzlg
Source: HID.DLL.6.dr Static PE information: section name: .ovmzdw
Source: HID.DLL.6.dr Static PE information: section name: .rqfw
Source: HID.DLL.6.dr Static PE information: section name: .upo
Source: WINSTA.dll.6.dr Static PE information: section name: .vxl
Source: WINSTA.dll.6.dr Static PE information: section name: .qwubgr
Source: WINSTA.dll.6.dr Static PE information: section name: .eer
Source: WINSTA.dll.6.dr Static PE information: section name: .xwwauf
Source: WINSTA.dll.6.dr Static PE information: section name: .pkc
Source: WINSTA.dll.6.dr Static PE information: section name: .npkda
Source: WINSTA.dll.6.dr Static PE information: section name: .vhs
Source: WINSTA.dll.6.dr Static PE information: section name: .iaywj
Source: WINSTA.dll.6.dr Static PE information: section name: .nasi
Source: WINSTA.dll.6.dr Static PE information: section name: .zhvprh
Source: WINSTA.dll.6.dr Static PE information: section name: .yatdsp
Source: WINSTA.dll.6.dr Static PE information: section name: .njso
Source: WINSTA.dll.6.dr Static PE information: section name: .lgliat
Source: WINSTA.dll.6.dr Static PE information: section name: .ntqjh
Source: WINSTA.dll.6.dr Static PE information: section name: .sucsek
Source: WINSTA.dll.6.dr Static PE information: section name: .qsxjui
Source: WINSTA.dll.6.dr Static PE information: section name: .twctcm
Source: WINSTA.dll.6.dr Static PE information: section name: .nms
Source: WINSTA.dll.6.dr Static PE information: section name: .ogj
Source: WINSTA.dll.6.dr Static PE information: section name: .vrkgb
Source: WINSTA.dll.6.dr Static PE information: section name: .gikfw
Source: WINSTA.dll.6.dr Static PE information: section name: .ktl
Source: WINSTA.dll.6.dr Static PE information: section name: .crcn
Source: WINSTA.dll.6.dr Static PE information: section name: .wtfr
Source: WINSTA.dll.6.dr Static PE information: section name: .hep
Source: WINSTA.dll.6.dr Static PE information: section name: .ywg
Source: WINSTA.dll.6.dr Static PE information: section name: .sqsp
Source: WINSTA.dll.6.dr Static PE information: section name: .tkyonf
Source: WINSTA.dll.6.dr Static PE information: section name: .lmr
Source: WINSTA.dll.6.dr Static PE information: section name: .nmvll
Source: WINSTA.dll.6.dr Static PE information: section name: .uvboq
Source: WINSTA.dll.6.dr Static PE information: section name: .pck
Source: WINSTA.dll.6.dr Static PE information: section name: .cui
Source: WINSTA.dll.6.dr Static PE information: section name: .bjpf
Source: WINSTA.dll.6.dr Static PE information: section name: .tdsza
Source: WINSTA.dll.6.dr Static PE information: section name: .ljyns
Source: WINSTA.dll.6.dr Static PE information: section name: .uvvcd
Source: WINSTA.dll.6.dr Static PE information: section name: .dhcna
Source: WINSTA.dll.6.dr Static PE information: section name: .ntjkji
Source: WINSTA.dll.6.dr Static PE information: section name: .copgfj
Source: WINSTA.dll.6.dr Static PE information: section name: .zmu
Source: WINSTA.dll.6.dr Static PE information: section name: .nqzul
Source: WINSTA.dll.6.dr Static PE information: section name: .qgbg
Source: WINSTA.dll.6.dr Static PE information: section name: .obih
Source: WINSTA.dll.6.dr Static PE information: section name: .igwjz
Source: WINSTA.dll.6.dr Static PE information: section name: .mkzlg
Source: WINSTA.dll.6.dr Static PE information: section name: .ovmzdw
Source: WINSTA.dll.6.dr Static PE information: section name: .rqfw
Source: WINSTA.dll.6.dr Static PE information: section name: .zpkuim
Source: dxgi.dll.6.dr Static PE information: section name: .vxl
Source: dxgi.dll.6.dr Static PE information: section name: .qwubgr
Source: dxgi.dll.6.dr Static PE information: section name: .eer
Source: dxgi.dll.6.dr Static PE information: section name: .xwwauf
Source: dxgi.dll.6.dr Static PE information: section name: .pkc
Source: dxgi.dll.6.dr Static PE information: section name: .npkda
Source: dxgi.dll.6.dr Static PE information: section name: .vhs
Source: dxgi.dll.6.dr Static PE information: section name: .iaywj
Source: dxgi.dll.6.dr Static PE information: section name: .nasi
Source: dxgi.dll.6.dr Static PE information: section name: .zhvprh
Source: dxgi.dll.6.dr Static PE information: section name: .yatdsp
Source: dxgi.dll.6.dr Static PE information: section name: .njso
Source: dxgi.dll.6.dr Static PE information: section name: .lgliat
Source: dxgi.dll.6.dr Static PE information: section name: .ntqjh
Source: dxgi.dll.6.dr Static PE information: section name: .sucsek
Source: dxgi.dll.6.dr Static PE information: section name: .qsxjui
Source: dxgi.dll.6.dr Static PE information: section name: .twctcm
Source: dxgi.dll.6.dr Static PE information: section name: .nms
Source: dxgi.dll.6.dr Static PE information: section name: .ogj
Source: dxgi.dll.6.dr Static PE information: section name: .vrkgb
Source: dxgi.dll.6.dr Static PE information: section name: .gikfw
Source: dxgi.dll.6.dr Static PE information: section name: .ktl
Source: dxgi.dll.6.dr Static PE information: section name: .crcn
Source: dxgi.dll.6.dr Static PE information: section name: .wtfr
Source: dxgi.dll.6.dr Static PE information: section name: .hep
Source: dxgi.dll.6.dr Static PE information: section name: .ywg
Source: dxgi.dll.6.dr Static PE information: section name: .sqsp
Source: dxgi.dll.6.dr Static PE information: section name: .tkyonf
Source: dxgi.dll.6.dr Static PE information: section name: .lmr
Source: dxgi.dll.6.dr Static PE information: section name: .nmvll
Source: dxgi.dll.6.dr Static PE information: section name: .uvboq
Source: dxgi.dll.6.dr Static PE information: section name: .pck
Source: dxgi.dll.6.dr Static PE information: section name: .cui
Source: dxgi.dll.6.dr Static PE information: section name: .bjpf
Source: dxgi.dll.6.dr Static PE information: section name: .tdsza
Source: dxgi.dll.6.dr Static PE information: section name: .ljyns
Source: dxgi.dll.6.dr Static PE information: section name: .uvvcd
Source: dxgi.dll.6.dr Static PE information: section name: .dhcna
Source: dxgi.dll.6.dr Static PE information: section name: .ntjkji
Source: dxgi.dll.6.dr Static PE information: section name: .copgfj
Source: dxgi.dll.6.dr Static PE information: section name: .zmu
Source: dxgi.dll.6.dr Static PE information: section name: .nqzul
Source: dxgi.dll.6.dr Static PE information: section name: .qgbg
Source: dxgi.dll.6.dr Static PE information: section name: .obih
Source: dxgi.dll.6.dr Static PE information: section name: .igwjz
Source: dxgi.dll.6.dr Static PE information: section name: .mkzlg
Source: dxgi.dll.6.dr Static PE information: section name: .ovmzdw
Source: dxgi.dll.6.dr Static PE information: section name: .rqfw
Source: dxgi.dll.6.dr Static PE information: section name: .ymlmlw
Source: DUI70.dll.6.dr Static PE information: section name: .vxl
Source: DUI70.dll.6.dr Static PE information: section name: .qwubgr
Source: DUI70.dll.6.dr Static PE information: section name: .eer
Source: DUI70.dll.6.dr Static PE information: section name: .xwwauf
Source: DUI70.dll.6.dr Static PE information: section name: .pkc
Source: DUI70.dll.6.dr Static PE information: section name: .npkda
Source: DUI70.dll.6.dr Static PE information: section name: .vhs
Source: DUI70.dll.6.dr Static PE information: section name: .iaywj
Source: DUI70.dll.6.dr Static PE information: section name: .nasi
Source: DUI70.dll.6.dr Static PE information: section name: .zhvprh
Source: DUI70.dll.6.dr Static PE information: section name: .yatdsp
Source: DUI70.dll.6.dr Static PE information: section name: .njso
Source: DUI70.dll.6.dr Static PE information: section name: .lgliat
Source: DUI70.dll.6.dr Static PE information: section name: .ntqjh
Source: DUI70.dll.6.dr Static PE information: section name: .sucsek
Source: DUI70.dll.6.dr Static PE information: section name: .qsxjui
Source: DUI70.dll.6.dr Static PE information: section name: .twctcm
Source: DUI70.dll.6.dr Static PE information: section name: .nms
Source: DUI70.dll.6.dr Static PE information: section name: .ogj
Source: DUI70.dll.6.dr Static PE information: section name: .vrkgb
Source: DUI70.dll.6.dr Static PE information: section name: .gikfw
Source: DUI70.dll.6.dr Static PE information: section name: .ktl
Source: DUI70.dll.6.dr Static PE information: section name: .crcn
Source: DUI70.dll.6.dr Static PE information: section name: .wtfr
Source: DUI70.dll.6.dr Static PE information: section name: .hep
Source: DUI70.dll.6.dr Static PE information: section name: .ywg
Source: DUI70.dll.6.dr Static PE information: section name: .sqsp
Source: DUI70.dll.6.dr Static PE information: section name: .tkyonf
Source: DUI70.dll.6.dr Static PE information: section name: .lmr
Source: DUI70.dll.6.dr Static PE information: section name: .nmvll
Source: DUI70.dll.6.dr Static PE information: section name: .uvboq
Source: DUI70.dll.6.dr Static PE information: section name: .pck
Source: DUI70.dll.6.dr Static PE information: section name: .cui
Source: DUI70.dll.6.dr Static PE information: section name: .bjpf
Source: DUI70.dll.6.dr Static PE information: section name: .tdsza
Source: DUI70.dll.6.dr Static PE information: section name: .ljyns
Source: DUI70.dll.6.dr Static PE information: section name: .uvvcd
Source: DUI70.dll.6.dr Static PE information: section name: .dhcna
Source: DUI70.dll.6.dr Static PE information: section name: .ntjkji
Source: DUI70.dll.6.dr Static PE information: section name: .copgfj
Source: DUI70.dll.6.dr Static PE information: section name: .zmu
Source: DUI70.dll.6.dr Static PE information: section name: .nqzul
Source: DUI70.dll.6.dr Static PE information: section name: .qgbg
Source: DUI70.dll.6.dr Static PE information: section name: .obih
Source: DUI70.dll.6.dr Static PE information: section name: .igwjz
Source: DUI70.dll.6.dr Static PE information: section name: .mkzlg
Source: DUI70.dll.6.dr Static PE information: section name: .ovmzdw
Source: DUI70.dll.6.dr Static PE information: section name: .rqfw
Source: DUI70.dll.6.dr Static PE information: section name: .ngt
Source: VERSION.dll1.6.dr Static PE information: section name: .vxl
Source: VERSION.dll1.6.dr Static PE information: section name: .qwubgr
Source: VERSION.dll1.6.dr Static PE information: section name: .eer
Source: VERSION.dll1.6.dr Static PE information: section name: .xwwauf
Source: VERSION.dll1.6.dr Static PE information: section name: .pkc
Source: VERSION.dll1.6.dr Static PE information: section name: .npkda
Source: VERSION.dll1.6.dr Static PE information: section name: .vhs
Source: VERSION.dll1.6.dr Static PE information: section name: .iaywj
Source: VERSION.dll1.6.dr Static PE information: section name: .nasi
Source: VERSION.dll1.6.dr Static PE information: section name: .zhvprh
Source: VERSION.dll1.6.dr Static PE information: section name: .yatdsp
Source: VERSION.dll1.6.dr Static PE information: section name: .njso
Source: VERSION.dll1.6.dr Static PE information: section name: .lgliat
Source: VERSION.dll1.6.dr Static PE information: section name: .ntqjh
Source: VERSION.dll1.6.dr Static PE information: section name: .sucsek
Source: VERSION.dll1.6.dr Static PE information: section name: .qsxjui
Source: VERSION.dll1.6.dr Static PE information: section name: .twctcm
Source: VERSION.dll1.6.dr Static PE information: section name: .nms
Source: VERSION.dll1.6.dr Static PE information: section name: .ogj
Source: VERSION.dll1.6.dr Static PE information: section name: .vrkgb
Source: VERSION.dll1.6.dr Static PE information: section name: .gikfw
Source: VERSION.dll1.6.dr Static PE information: section name: .ktl
Source: VERSION.dll1.6.dr Static PE information: section name: .crcn
Source: VERSION.dll1.6.dr Static PE information: section name: .wtfr
Source: VERSION.dll1.6.dr Static PE information: section name: .hep
Source: VERSION.dll1.6.dr Static PE information: section name: .ywg
Source: VERSION.dll1.6.dr Static PE information: section name: .sqsp
Source: VERSION.dll1.6.dr Static PE information: section name: .tkyonf
Source: VERSION.dll1.6.dr Static PE information: section name: .lmr
Source: VERSION.dll1.6.dr Static PE information: section name: .nmvll
Source: VERSION.dll1.6.dr Static PE information: section name: .uvboq
Source: VERSION.dll1.6.dr Static PE information: section name: .pck
Source: VERSION.dll1.6.dr Static PE information: section name: .cui
Source: VERSION.dll1.6.dr Static PE information: section name: .bjpf
Source: VERSION.dll1.6.dr Static PE information: section name: .tdsza
Source: VERSION.dll1.6.dr Static PE information: section name: .ljyns
Source: VERSION.dll1.6.dr Static PE information: section name: .uvvcd
Source: VERSION.dll1.6.dr Static PE information: section name: .dhcna
Source: VERSION.dll1.6.dr Static PE information: section name: .ntjkji
Source: VERSION.dll1.6.dr Static PE information: section name: .copgfj
Source: VERSION.dll1.6.dr Static PE information: section name: .zmu
Source: VERSION.dll1.6.dr Static PE information: section name: .nqzul
Source: VERSION.dll1.6.dr Static PE information: section name: .qgbg
Source: VERSION.dll1.6.dr Static PE information: section name: .obih
Source: VERSION.dll1.6.dr Static PE information: section name: .igwjz
Source: VERSION.dll1.6.dr Static PE information: section name: .mkzlg
Source: VERSION.dll1.6.dr Static PE information: section name: .ovmzdw
Source: VERSION.dll1.6.dr Static PE information: section name: .rqfw
Source: VERSION.dll1.6.dr Static PE information: section name: .rjand
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE1B88 LoadLibraryW,GetProcAddress,FreeLibrary,SetDisplayConfig, 20_2_00007FF701BE1B88
Source: cmstp.exe.6.dr Static PE information: 0xEF676D1B [Thu Apr 11 15:32:43 2097 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4xeLXaDKW\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\M4eXJF\cmstp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\M4eXJF\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\96P3D\cmstp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\96P3D\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\a6o\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\uRSIQRt4\dxgi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\a6o\PresentationHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WPx7QKO3\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\1XXGC21\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\RkRLYOhG1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe TID: 1952 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\RiK2PNsRy\HID.DLL Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\WPx7QKO3\CloudNotifications.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\RiK2PNsRy\tabcal.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BC1250 rdtsc 20_2_00007FF701BC1250
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe API coverage: 0.2 %
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe API coverage: 1.7 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA3DDC0 GetSystemInfo, 0_2_00007FFC6FA3DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA3ED10 FindFirstFileExW, 0_2_00007FFC6FA3ED10
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E7C3C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E6494
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299FA65C
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299FBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299FBD48
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E6720
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 32_2_00007FF7299E7784
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299E2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 32_2_00007FF7299E2770
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FFC6E2FED10 FindFirstFileExW, 32_2_00007FFC6E2FED10
Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289794382.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.301054763.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000006.00000000.308538161.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: explorer.exe, 00000006.00000000.289710351.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD23E4 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 20_2_00007FF701BD23E4
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE1B88 LoadLibraryW,GetProcAddress,FreeLibrary,SetDisplayConfig, 20_2_00007FF701BE1B88
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD6EBC TlsGetValue,GetProcessHeap,HeapAlloc,TlsSetValue,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,GetProcessHeap,HeapFree,TlsSetValue, 20_2_00007FF701BD6EBC
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BC1250 rdtsc 20_2_00007FF701BC1250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA297D0 LdrLoadDll,FindClose, 0_2_00007FFC6FA297D0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF7754DF0A0 BlockInput,SendInput, 24_2_00007FF7754DF0A0
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE2140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF701BE2140
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE24E0 SetUnhandledExceptionFilter, 20_2_00007FF701BE24E0
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00007FF77554B284
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00007FF77554BD44
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF77554BF20 SetUnhandledExceptionFilter, 24_2_00007FF77554BF20
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF729A06140 SetUnhandledExceptionFilter, 32_2_00007FF729A06140
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF729A05E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 32_2_00007FF729A05E58

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: VERSION.dll.6.dr Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299CFF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError, 32_2_00007FF7299CFF54
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dpnhupnp.dll",#1 Jump to behavior
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775548CAC mouse_event,SetForegroundWindow, 24_2_00007FF775548CAC
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: 24_2_00007FF775546418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle, 24_2_00007FF775546418
Source: explorer.exe, 00000006.00000000.280086220.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317487727.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.297309804.0000000000B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.284101788.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.317834079.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.297726319.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.280400112.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.323729877.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.308538161.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.289794382.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndh
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize, 24_2_00007FF7754D72C8
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx, 24_2_00007FF7754B6068
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 24_2_00007FF77553A840
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 24_2_00007FF77553CE28
Source: C:\Users\user\AppData\Local\uRSIQRt4\GamePanel.exe Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 24_2_00007FF775530A3C
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\1XXGC21\msdt.exe Code function: 32_2_00007FF7299EA0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree, 32_2_00007FF7299EA0D0
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BE2670 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 20_2_00007FF701BE2670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6FA29400 GetUserNameW, 0_2_00007FFC6FA29400
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD6220 new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z, 20_2_00007FF701BD6220
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BD5620 new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z, 20_2_00007FF701BD5620
Source: C:\Users\user\AppData\Local\4xeLXaDKW\DisplaySwitch.exe Code function: 20_2_00007FF701BCD4F8 TlsGetValue,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z, 20_2_00007FF701BCD4F8
No contacted IP infos