Windows Analysis Report
AyBhhRZXPj

Overview

General Information

Sample Name: AyBhhRZXPj (renamed file extension from none to dll)
Analysis ID: 595303
MD5: 518cc4a9888e76bc1a916fd67a08a075
SHA1: 148d6f12f12a0cae195f36f4319839f6687b7144
SHA256: 57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: AyBhhRZXPj.dll Virustotal: Detection: 70% Perma Link
Source: AyBhhRZXPj.dll Metadefender: Detection: 62% Perma Link
Source: AyBhhRZXPj.dll ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: AyBhhRZXPj.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Odp\dwmapi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: AyBhhRZXPj.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Odp\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5C7B8 CryptDecryptMessage,GetLastError,LocalAlloc,CryptDecryptMessage,GetLastError,LocalFree, 37_2_00007FF6BFA5C7B8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA43EE8 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,LocalFree,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext, 37_2_00007FF6BFA43EE8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA44540 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext, 37_2_00007FF6BFA44540
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5C5A8 memset,CryptEncryptMessage,GetLastError,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree, 37_2_00007FF6BFA5C5A8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA44528 CryptDestroyHash, 37_2_00007FF6BFA44528
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA4450C CryptReleaseContext, 37_2_00007FF6BFA4450C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5C3D8 CryptVerifyMessageSignature,GetLastError,LocalAlloc,CryptVerifyMessageSignature,GetLastError,LocalFree, 37_2_00007FF6BFA5C3D8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA55260 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,LocalAlloc,CryptGenRandom,GetLastError,LocalFree,CryptReleaseContext, 37_2_00007FF6BFA55260
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5C1CC memset,CryptSignMessage,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,LocalFree, 37_2_00007FF6BFA5C1CC
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5BA30 CryptHashCertificate,GetLastError, 37_2_00007FF6BFA5BA30
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA449A8 UnicodeToMB,CryptHashData,GetLastError,??_V@YAXPEAX@Z, 37_2_00007FF6BFA449A8
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA68598 CryptAcquireContextW,CryptCreateHash, 41_2_00007FF76CA68598
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA68610 CryptGetHashParam,memset, 41_2_00007FF76CA68610
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA68534 CryptDestroyHash,CryptReleaseContext, 41_2_00007FF76CA68534
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6874C CryptHashData, 41_2_00007FF76CA6874C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA688F8 CryptHashData, 41_2_00007FF76CA688F8
Source: AyBhhRZXPj.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711ED10 FindFirstFileExW, 0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C6ED10 FindFirstFileExW, 25_2_00007FFC74C6ED10
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr, 35_2_00007FF672546088
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW, 35_2_00007FF672545B4C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize, 35_2_00007FF672548BFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey, 35_2_00007FF6725472E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW, 35_2_00007FF6725479C4
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAA45E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task, 41_2_00007FF76CAA45E0

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.unregmp2.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.FileHistory.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.omadmclient.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.GamePanel.exe.7ffc678e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.mspaint.exe.7ffc74c10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671097D0 0_2_00007FFC671097D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F5020 0_2_00007FFC670F5020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711DDC0 0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127650 0_2_00007FFC67127650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712D520 0_2_00007FFC6712D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710A2C0 0_2_00007FFC6710A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F59F0 0_2_00007FFC670F59F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FAA70 0_2_00007FFC670FAA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710CA50 0_2_00007FFC6710CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E7880 0_2_00007FFC670E7880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67113150 0_2_00007FFC67113150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713B7A0 0_2_00007FFC6713B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C6790 0_2_00007FFC670C6790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712C780 0_2_00007FFC6712C780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713EF80 0_2_00007FFC6713EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EE7B0 0_2_00007FFC670EE7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DA7D0 0_2_00007FFC670DA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67134FF0 0_2_00007FFC67134FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8FC0 0_2_00007FFC670D8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E6FE0 0_2_00007FFC670E6FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C1010 0_2_00007FFC670C1010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E4800 0_2_00007FFC670E4800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EC030 0_2_00007FFC670EC030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0020 0_2_00007FFC670F0020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E5050 0_2_00007FFC670E5050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710F870 0_2_00007FFC6710F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67115840 0_2_00007FFC67115840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FF870 0_2_00007FFC670FF870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C6E90 0_2_00007FFC670C6E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712A6B0 0_2_00007FFC6712A6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C7E80 0_2_00007FFC670C7E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EF6B0 0_2_00007FFC670EF6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F06A0 0_2_00007FFC670F06A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127EC0 0_2_00007FFC67127EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67120F30 0_2_00007FFC67120F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E872B 0_2_00007FFC670E872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67125760 0_2_00007FFC67125760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E2F50 0_2_00007FFC670E2F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713BF6F 0_2_00007FFC6713BF6F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67120770 0_2_00007FFC67120770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DE770 0_2_00007FFC670DE770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CC5A0 0_2_00007FFC670CC5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D95C0 0_2_00007FFC670D95C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F25C0 0_2_00007FFC670F25C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D65E0 0_2_00007FFC670D65E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3610 0_2_00007FFC670E3610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F2E10 0_2_00007FFC670F2E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CDE20 0_2_00007FFC670CDE20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C1620 0_2_00007FFC670C1620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8670 0_2_00007FFC670D8670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67110650 0_2_00007FFC67110650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E49D 0_2_00007FFC6712E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67122CA0 0_2_00007FFC67122CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4A6 0_2_00007FFC6712E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4AD 0_2_00007FFC6712E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4B6 0_2_00007FFC6712E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EAC80 0_2_00007FFC670EAC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E48B 0_2_00007FFC6712E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712A490 0_2_00007FFC6712A490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E494 0_2_00007FFC6712E494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D3CD0 0_2_00007FFC670D3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F5CD0 0_2_00007FFC670F5CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F3CF0 0_2_00007FFC670F3CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0D10 0_2_00007FFC670F0D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F1D30 0_2_00007FFC670F1D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3D50 0_2_00007FFC670E3D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670ED550 0_2_00007FFC670ED550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D9D70 0_2_00007FFC670D9D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67124390 0_2_00007FFC67124390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67114BC0 0_2_00007FFC67114BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D23F0 0_2_00007FFC670D23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D7410 0_2_00007FFC670D7410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E400 0_2_00007FFC6712E400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67129410 0_2_00007FFC67129410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D5420 0_2_00007FFC670D5420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C5C20 0_2_00007FFC670C5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671282A0 0_2_00007FFC671282A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712AAA0 0_2_00007FFC6712AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EDAA0 0_2_00007FFC670EDAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67122AE0 0_2_00007FFC67122AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127AF0 0_2_00007FFC67127AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E92C0 0_2_00007FFC670E92C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711F2C0 0_2_00007FFC6711F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E82E0 0_2_00007FFC670E82E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FBAE0 0_2_00007FFC670FBAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EA310 0_2_00007FFC670EA310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0300 0_2_00007FFC670F0300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F1B30 0_2_00007FFC670F1B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CBB20 0_2_00007FFC670CBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C5350 0_2_00007FFC670C5350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3340 0_2_00007FFC670E3340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8340 0_2_00007FFC670D8340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C55CD0 21_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C7DDC0 21_2_00007FFC74C7DDC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C55020 21_2_00007FFC74C55020
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C6CA50 21_2_00007FFC74C6CA50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C5AA70 21_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C6A2C0 21_2_00007FFC74C6A2C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4D550 21_2_00007FFC74C4D550
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C43D50 21_2_00007FFC74C43D50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C39D70 21_2_00007FFC74C39D70
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C50D10 21_2_00007FFC74C50D10
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C51D30 21_2_00007FFC74C51D30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C8D520 21_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C33CD0 21_2_00007FFC74C33CD0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C53CF0 21_2_00007FFC74C53CF0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4AC80 21_2_00007FFC74C4AC80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C82CA0 21_2_00007FFC74C82CA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C70650 21_2_00007FFC74C70650
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C87650 21_2_00007FFC74C87650
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C38670 21_2_00007FFC74C38670
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C52E10 21_2_00007FFC74C52E10
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C43610 21_2_00007FFC74C43610
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C21620 21_2_00007FFC74C21620
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C2DE20 21_2_00007FFC74C2DE20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C525C0 21_2_00007FFC74C525C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C395C0 21_2_00007FFC74C395C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C365E0 21_2_00007FFC74C365E0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C2C5A0 21_2_00007FFC74C2C5A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C42F50 21_2_00007FFC74C42F50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C80770 21_2_00007FFC74C80770
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C3E770 21_2_00007FFC74C3E770
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C85760 21_2_00007FFC74C85760
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C80F30 21_2_00007FFC74C80F30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4872B 21_2_00007FFC74C4872B
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C87EC0 21_2_00007FFC74C87EC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C26E90 21_2_00007FFC74C26E90
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C27E80 21_2_00007FFC74C27E80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4F6B0 21_2_00007FFC74C4F6B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C506A0 21_2_00007FFC74C506A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C45050 21_2_00007FFC74C45050
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C75840 21_2_00007FFC74C75840
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C5F870 21_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C21010 21_2_00007FFC74C21010
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C44800 21_2_00007FFC74C44800
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4C030 21_2_00007FFC74C4C030
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C50020 21_2_00007FFC74C50020
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C697D0 21_2_00007FFC74C697D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C3A7D0 21_2_00007FFC74C3A7D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C38FC0 21_2_00007FFC74C38FC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C94FF0 21_2_00007FFC74C94FF0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C46FE0 21_2_00007FFC74C46FE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C26790 21_2_00007FFC74C26790
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C9EF80 21_2_00007FFC74C9EF80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4E7B0 21_2_00007FFC74C4E7B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C9B7A0 21_2_00007FFC74C9B7A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C73150 21_2_00007FFC74C73150
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C86950 21_2_00007FFC74C86950
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C44140 21_2_00007FFC74C44140
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C8B960 21_2_00007FFC74C8B960
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C3E110 21_2_00007FFC74C3E110
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C43910 21_2_00007FFC74C43910
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C2B100 21_2_00007FFC74C2B100
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C56130 21_2_00007FFC74C56130
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C218D0 21_2_00007FFC74C218D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C3D890 21_2_00007FFC74C3D890
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C47880 21_2_00007FFC74C47880
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C308B0 21_2_00007FFC74C308B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C5B250 21_2_00007FFC74C5B250
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C27A40 21_2_00007FFC74C27A40
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C8B260 21_2_00007FFC74C8B260
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C521D0 21_2_00007FFC74C521D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C469C0 21_2_00007FFC74C469C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C559F0 21_2_00007FFC74C559F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4F1F0 21_2_00007FFC74C4F1F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C591F0 21_2_00007FFC74C591F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C589F0 21_2_00007FFC74C589F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C59990 21_2_00007FFC74C59990
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C22980 21_2_00007FFC74C22980
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C3E9B0 21_2_00007FFC74C3E9B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C411B0 21_2_00007FFC74C411B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4E9A0 21_2_00007FFC74C4E9A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C85B50 21_2_00007FFC74C85B50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C25350 21_2_00007FFC74C25350
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C43340 21_2_00007FFC74C43340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C38340 21_2_00007FFC74C38340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C54360 21_2_00007FFC74C54360
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4A310 21_2_00007FFC74C4A310
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C50300 21_2_00007FFC74C50300
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C51B30 21_2_00007FFC74C51B30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C2BB20 21_2_00007FFC74C2BB20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C492C0 21_2_00007FFC74C492C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C7F2C0 21_2_00007FFC74C7F2C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C482E0 21_2_00007FFC74C482E0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C5BAE0 21_2_00007FFC74C5BAE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C82AE0 21_2_00007FFC74C82AE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C4DAA0 21_2_00007FFC74C4DAA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C882A0 21_2_00007FFC74C882A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C8AAA0 21_2_00007FFC74C8AAA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C37410 21_2_00007FFC74C37410
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C89410 21_2_00007FFC74C89410
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C8E400 21_2_00007FFC74C8E400
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C25C20 21_2_00007FFC74C25C20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C35420 21_2_00007FFC74C35420
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C74BC0 21_2_00007FFC74C74BC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C323F0 21_2_00007FFC74C323F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C84390 21_2_00007FFC74C84390
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7D520 25_2_00007FFC74C7D520
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C45CD0 25_2_00007FFC74C45CD0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C77650 25_2_00007FFC74C77650
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C6DDC0 25_2_00007FFC74C6DDC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C45020 25_2_00007FFC74C45020
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C597D0 25_2_00007FFC74C597D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C63150 25_2_00007FFC74C63150
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C37880 25_2_00007FFC74C37880
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C5CA50 25_2_00007FFC74C5CA50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4AA70 25_2_00007FFC74C4AA70
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C459F0 25_2_00007FFC74C459F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C5A2C0 25_2_00007FFC74C5A2C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4BAE0 25_2_00007FFC74C4BAE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C33D50 25_2_00007FFC74C33D50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3D550 25_2_00007FFC74C3D550
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C29D70 25_2_00007FFC74C29D70
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C40D10 25_2_00007FFC74C40D10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C41D30 25_2_00007FFC74C41D30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C23CD0 25_2_00007FFC74C23CD0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C43CF0 25_2_00007FFC74C43CF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7A490 25_2_00007FFC74C7A490
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E494 25_2_00007FFC74C7E494
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3AC80 25_2_00007FFC74C3AC80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E48B 25_2_00007FFC74C7E48B
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E4AD 25_2_00007FFC74C7E4AD
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E4B6 25_2_00007FFC74C7E4B6
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C72CA0 25_2_00007FFC74C72CA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E49D 25_2_00007FFC74C7E49D
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E4A6 25_2_00007FFC74C7E4A6
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C60650 25_2_00007FFC74C60650
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C28670 25_2_00007FFC74C28670
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C33610 25_2_00007FFC74C33610
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C42E10 25_2_00007FFC74C42E10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C11620 25_2_00007FFC74C11620
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C1DE20 25_2_00007FFC74C1DE20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C295C0 25_2_00007FFC74C295C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C425C0 25_2_00007FFC74C425C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C265E0 25_2_00007FFC74C265E0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C1C5A0 25_2_00007FFC74C1C5A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C32F50 25_2_00007FFC74C32F50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C70770 25_2_00007FFC74C70770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C2E770 25_2_00007FFC74C2E770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C8BF6F 25_2_00007FFC74C8BF6F
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C75760 25_2_00007FFC74C75760
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C70F30 25_2_00007FFC74C70F30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3872B 25_2_00007FFC74C3872B
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C77EC0 25_2_00007FFC74C77EC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C16E90 25_2_00007FFC74C16E90
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C17E80 25_2_00007FFC74C17E80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7A6B0 25_2_00007FFC74C7A6B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3F6B0 25_2_00007FFC74C3F6B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C406A0 25_2_00007FFC74C406A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C35050 25_2_00007FFC74C35050
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C65840 25_2_00007FFC74C65840
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4F870 25_2_00007FFC74C4F870
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C5F870 25_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C11010 25_2_00007FFC74C11010
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C34800 25_2_00007FFC74C34800
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3C030 25_2_00007FFC74C3C030
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C40020 25_2_00007FFC74C40020
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C2A7D0 25_2_00007FFC74C2A7D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C28FC0 25_2_00007FFC74C28FC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C84FF0 25_2_00007FFC74C84FF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C36FE0 25_2_00007FFC74C36FE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C16790 25_2_00007FFC74C16790
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7C780 25_2_00007FFC74C7C780
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C8EF80 25_2_00007FFC74C8EF80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3E7B0 25_2_00007FFC74C3E7B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C8B7A0 25_2_00007FFC74C8B7A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C76950 25_2_00007FFC74C76950
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C34140 25_2_00007FFC74C34140
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7B960 25_2_00007FFC74C7B960
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C2E110 25_2_00007FFC74C2E110
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C33910 25_2_00007FFC74C33910
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C1B100 25_2_00007FFC74C1B100
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C46130 25_2_00007FFC74C46130
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C118D0 25_2_00007FFC74C118D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C2D890 25_2_00007FFC74C2D890
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C208B0 25_2_00007FFC74C208B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4B250 25_2_00007FFC74C4B250
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C17A40 25_2_00007FFC74C17A40
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7B260 25_2_00007FFC74C7B260
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C421D0 25_2_00007FFC74C421D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C369C0 25_2_00007FFC74C369C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C491F0 25_2_00007FFC74C491F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C489F0 25_2_00007FFC74C489F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3F1F0 25_2_00007FFC74C3F1F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C49990 25_2_00007FFC74C49990
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C12980 25_2_00007FFC74C12980
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C2E9B0 25_2_00007FFC74C2E9B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C311B0 25_2_00007FFC74C311B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3E9A0 25_2_00007FFC74C3E9A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C75B50 25_2_00007FFC74C75B50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C15350 25_2_00007FFC74C15350
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C33340 25_2_00007FFC74C33340
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C28340 25_2_00007FFC74C28340
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C44360 25_2_00007FFC74C44360
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3A310 25_2_00007FFC74C3A310
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C40300 25_2_00007FFC74C40300
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C41B30 25_2_00007FFC74C41B30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C1BB20 25_2_00007FFC74C1BB20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C6F2C0 25_2_00007FFC74C6F2C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C392C0 25_2_00007FFC74C392C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C77AF0 25_2_00007FFC74C77AF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C72AE0 25_2_00007FFC74C72AE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C382E0 25_2_00007FFC74C382E0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C782A0 25_2_00007FFC74C782A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7AAA0 25_2_00007FFC74C7AAA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C3DAA0 25_2_00007FFC74C3DAA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C79410 25_2_00007FFC74C79410
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C27410 25_2_00007FFC74C27410
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7E400 25_2_00007FFC74C7E400
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C15C20 25_2_00007FFC74C15C20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C25420 25_2_00007FFC74C25420
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C64BC0 25_2_00007FFC74C64BC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C223F0 25_2_00007FFC74C223F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C74390 25_2_00007FFC74C74390
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672550898 35_2_00007FF672550898
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254E998 35_2_00007FF67254E998
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254EF84 35_2_00007FF67254EF84
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672546088 35_2_00007FF672546088
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672543A5C 35_2_00007FF672543A5C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672544B5C 35_2_00007FF672544B5C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672544260 35_2_00007FF672544260
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254CF64 35_2_00007FF67254CF64
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672555644 35_2_00007FF672555644
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672546744 35_2_00007FF672546744
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254E04C 35_2_00007FF67254E04C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672545B4C 35_2_00007FF672545B4C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672559354 35_2_00007FF672559354
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672557550 35_2_00007FF672557550
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67255151C 35_2_00007FF67255151C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672558E1C 35_2_00007FF672558E1C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254BE24 35_2_00007FF67254BE24
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254AD20 35_2_00007FF67254AD20
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254292C 35_2_00007FF67254292C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254E330 35_2_00007FF67254E330
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254DAFC 35_2_00007FF67254DAFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254C1FC 35_2_00007FF67254C1FC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672548BFC 35_2_00007FF672548BFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672545300 35_2_00007FF672545300
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672544F08 35_2_00007FF672544F08
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67255780C 35_2_00007FF67255780C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672554D0C 35_2_00007FF672554D0C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254FC14 35_2_00007FF67254FC14
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672541B14 35_2_00007FF672541B14
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254C710 35_2_00007FF67254C710
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725533DC 35_2_00007FF6725533DC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725413E4 35_2_00007FF6725413E4
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725472E8 35_2_00007FF6725472E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725529E8 35_2_00007FF6725529E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725586E8 35_2_00007FF6725586E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725479C4 35_2_00007FF6725479C4
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672550AC0 35_2_00007FF672550AC0
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672547ED0 35_2_00007FF672547ED0
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725510D4 35_2_00007FF6725510D4
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA580D0 37_2_00007FF6BFA580D0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA3F930 37_2_00007FF6BFA3F930
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5B130 37_2_00007FF6BFA5B130
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA43060 37_2_00007FF6BFA43060
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA59090 37_2_00007FF6BFA59090
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA52810 37_2_00007FF6BFA52810
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA4FF80 37_2_00007FF6BFA4FF80
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA43EE8 37_2_00007FF6BFA43EE8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA4E638 37_2_00007FF6BFA4E638
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA3753C 37_2_00007FF6BFA3753C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA44540 37_2_00007FF6BFA44540
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA33D94 37_2_00007FF6BFA33D94
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5D4D0 37_2_00007FF6BFA5D4D0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA3DC4C 37_2_00007FF6BFA3DC4C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA49CA0 37_2_00007FF6BFA49CA0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5A420 37_2_00007FF6BFA5A420
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA343AC 37_2_00007FF6BFA343AC
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA4EBA8 37_2_00007FF6BFA4EBA8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA45330 37_2_00007FF6BFA45330
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA3D2F8 37_2_00007FF6BFA3D2F8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA56260 37_2_00007FF6BFA56260
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA58AA0 37_2_00007FF6BFA58AA0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA51950 37_2_00007FF6BFA51950
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA5F994 37_2_00007FF6BFA5F994
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA84DD0 41_2_00007FF76CA84DD0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA8ED90 41_2_00007FF76CA8ED90
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA58F14 41_2_00007FF76CA58F14
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA9EE40 41_2_00007FF76CA9EE40
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA9D010 41_2_00007FF76CA9D010
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6AFF0 41_2_00007FF76CA6AFF0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA9A998 41_2_00007FF76CA9A998
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA689F4 41_2_00007FF76CA689F4
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA56948 41_2_00007FF76CA56948
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6CCFC 41_2_00007FF76CA6CCFC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA3ED00 41_2_00007FF76CA3ED00
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA24CDC 41_2_00007FF76CA24CDC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA90C44 41_2_00007FF76CA90C44
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6A5D0 41_2_00007FF76CA6A5D0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAA45E0 41_2_00007FF76CAA45E0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA5253C 41_2_00007FF76CA5253C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA3E560 41_2_00007FF76CA3E560
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA70644 41_2_00007FF76CA70644
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA60620 41_2_00007FF76CA60620
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA0E7FC 41_2_00007FF76CA0E7FC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA19AF0 41_2_00007FF76CA19AF0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA0A7EC 41_2_00007FF76CA0A7EC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAB47E5 41_2_00007FF76CAB47E5
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAA0728 41_2_00007FF76CAA0728
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA648C0 41_2_00007FF76CA648C0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA821AC 41_2_00007FF76CA821AC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA421AC 41_2_00007FF76CA421AC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA84198 41_2_00007FF76CA84198
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA8C2D8 41_2_00007FF76CA8C2D8
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA4A250 41_2_00007FF76CA4A250
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA2E224 41_2_00007FF76CA2E224
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA343B8 41_2_00007FF76CA343B8
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA03D38 41_2_00007FF76CA03D38
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA75F08 41_2_00007FF76CA75F08
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6BE58 41_2_00007FF76CA6BE58
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAABFEC 41_2_00007FF76CAABFEC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA9BF88 41_2_00007FF76CA9BF88
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA0A058 41_2_00007FF76CA0A058
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA77A00 41_2_00007FF76CA77A00
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA0B928 41_2_00007FF76CA0B928
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA8F920 41_2_00007FF76CA8F920
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA71AD4 41_2_00007FF76CA71AD4
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA97A20 41_2_00007FF76CA97A20
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAADB6C 41_2_00007FF76CAADB6C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA8BD14 41_2_00007FF76CA8BD14
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA3DC44 41_2_00007FF76CA3DC44
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAAFC59 41_2_00007FF76CAAFC59
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA6D6B0 41_2_00007FF76CA6D6B0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAAD7A2 41_2_00007FF76CAAD7A2
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA9D788 41_2_00007FF76CA9D788
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: String function: 00007FF76CA032F8 appears 319 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: String function: 00007FF76CA04D68 appears 156 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: String function: 00007FF76CA06894 appears 44 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: String function: 00007FF76CA162E4 appears 55 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: String function: 00007FF76CAA6AD8 appears 183 times
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: String function: 00007FF67254114C appears 40 times
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: String function: 00007FF6725412F0 appears 44 times
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: String function: 00007FF6BFA32AE8 appears 152 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67107770 NtClose, 0_2_00007FFC67107770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712D520 NtQuerySystemInformation,RtlAllocateHeap, 0_2_00007FFC6712D520
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 21_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FFC74C67770 NtClose, 21_2_00007FFC74C67770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C7D520 NtQuerySystemInformation, 25_2_00007FFC74C7D520
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 25_2_00007FFC74C4C4D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C45CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 25_2_00007FFC74C45CD0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C35F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 25_2_00007FFC74C35F40
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C57770 NtClose, 25_2_00007FFC74C57770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 25_2_00007FFC74C4AA70
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4BAE0 NtReadVirtualMemory, 25_2_00007FFC74C4BAE0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA63030 memset,AlpcInitializeMessageAttribute,AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcSendWaitReceivePort,AlpcGetMessageAttribute,ZwAlpcCancelMessage,ReleaseSRWLockShared,RtlWakeAddressAll, 37_2_00007FF6BFA63030
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA62F2C AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcDisconnectPort,ZwAlpcQueryInformation,ReleaseSRWLockShared,RtlWaitOnAddress,AcquireSRWLockExclusive,GetCurrentThreadId,ReleaseSRWLockExclusive,CloseHandle,TpWaitForAlpcCompletion, 37_2_00007FF6BFA62F2C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA643C0 memset,GetCurrentProcess,QueryFullProcessImageNameW,NtPowerInformation, 37_2_00007FF6BFA643C0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA62C30 HeapAlloc,memset,InitializeSRWLock,RtlInitUnicodeString,memset,memset,ZwAlpcConnectPort,CreateThreadpool,TpAllocAlpcCompletion, 37_2_00007FF6BFA62C30
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA63284 AcquireSRWLockExclusive,GetCurrentThreadId,ZwClose,ReleaseSRWLockExclusive,ZwAlpcCancelMessage, 37_2_00007FF6BFA63284
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA631E0 AcquireSRWLockShared,memset,ZwAlpcSendWaitReceivePort,ReleaseSRWLockShared, 37_2_00007FF6BFA631E0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAAA9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 41_2_00007FF76CAAA9CC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA76C44 RtlInitUnicodeString,NtQueryLicenseValue, 41_2_00007FF76CA76C44
PE file contains strange resources
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Section loaded: kernel34.dll
PE file contains more sections than normal
Source: dwmapi.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: AyBhhRZXPj.dll Static PE information: Number of sections : 57 > 10
Source: WTSAPI32.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: DUI70.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: VERSION.dll0.4.dr Static PE information: Number of sections : 58 > 10
Source: XmlLite.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: VERSION.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: UxTheme.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: MFC42u.dll.4.dr Static PE information: Number of sections : 58 > 10
Source: AyBhhRZXPj.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AyBhhRZXPj.dll Virustotal: Detection: 70%
Source: AyBhhRZXPj.dll Metadefender: Detection: 62%
Source: AyBhhRZXPj.dll ReversingLabs: Detection: 88%
Source: AyBhhRZXPj.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@49/18@0/0
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672545AA0 SHCreateItemFromParsingName,SetFileAttributesW,DeleteFileW,CoCreateInstance, 35_2_00007FF672545AA0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA580D0 CreateStreamOnHGlobal,CreateXmlWriterOutputWithEncodingName,memset,memset,GetLastError,LocalFree,SetLastError,LocalFree,memset,FormatMessageW,GetLastError,GetProcessHeap,HeapAlloc,BigStrcat,GetLastError,LocalFree,SetLastError,??3@YAXPEAX@Z,LocalFree,LocalFree,LocalFree,??3@YAXPEAX@Z,LocalFree,LocalFree, 37_2_00007FF6BFA580D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672543720 RegDeleteKeyW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetFileAttributesW,ShellExecuteW,OpenSCManagerW,OpenServiceW,QueryServiceConfigW,ChangeServiceConfigW,QueryServiceStatus,ControlService,CloseServiceHandle,CloseServiceHandle, 35_2_00007FF672543720
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C4CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First, 25_2_00007FFC74C4CB00
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Mutant created: \Sessions\1\BaseNamedObjects\{7f288414-5cf0-ae42-7066-c8e415a6409f}
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Mutant created: \Sessions\1\BaseNamedObjects\{ca68fc37-cbed-19a4-8710-155280dc7f30}
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672543A5C CoInitialize,SHGetFolderPathW,LoadStringW,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetLastError,CoUninitialize,GetUserDefaultLCID,LCIDToLocaleName,PathAddBackslashW,CreateDirectoryW,GetTickCount,CreateDirectoryW,GetLastError,GetLastError,FindResourceW,LoadResource,CreateFileW,SizeofResource,WriteFile,CloseHandle,RegCreateKeyExW,RegSetValueExW,GetLastError,RegCloseKey, 35_2_00007FF672543A5C
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: AyBhhRZXPj.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: AyBhhRZXPj.dll Static file information: File size 1351680 > 1048576
Source: AyBhhRZXPj.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
PE file contains sections with non-standard names
Source: AyBhhRZXPj.dll Static PE information: section name: .vxl
Source: AyBhhRZXPj.dll Static PE information: section name: .qwubgr
Source: AyBhhRZXPj.dll Static PE information: section name: .eer
Source: AyBhhRZXPj.dll Static PE information: section name: .xwwauf
Source: AyBhhRZXPj.dll Static PE information: section name: .pkc
Source: AyBhhRZXPj.dll Static PE information: section name: .npkda
Source: AyBhhRZXPj.dll Static PE information: section name: .vhs
Source: AyBhhRZXPj.dll Static PE information: section name: .iaywj
Source: AyBhhRZXPj.dll Static PE information: section name: .nasi
Source: AyBhhRZXPj.dll Static PE information: section name: .zhvprh
Source: AyBhhRZXPj.dll Static PE information: section name: .yatdsp
Source: AyBhhRZXPj.dll Static PE information: section name: .njso
Source: AyBhhRZXPj.dll Static PE information: section name: .lgliat
Source: AyBhhRZXPj.dll Static PE information: section name: .ntqjh
Source: AyBhhRZXPj.dll Static PE information: section name: .sucsek
Source: AyBhhRZXPj.dll Static PE information: section name: .qsxjui
Source: AyBhhRZXPj.dll Static PE information: section name: .twctcm
Source: AyBhhRZXPj.dll Static PE information: section name: .nms
Source: AyBhhRZXPj.dll Static PE information: section name: .ogj
Source: AyBhhRZXPj.dll Static PE information: section name: .vrkgb
Source: AyBhhRZXPj.dll Static PE information: section name: .gikfw
Source: AyBhhRZXPj.dll Static PE information: section name: .ktl
Source: AyBhhRZXPj.dll Static PE information: section name: .crcn
Source: AyBhhRZXPj.dll Static PE information: section name: .wtfr
Source: AyBhhRZXPj.dll Static PE information: section name: .hep
Source: AyBhhRZXPj.dll Static PE information: section name: .ywg
Source: AyBhhRZXPj.dll Static PE information: section name: .sqsp
Source: AyBhhRZXPj.dll Static PE information: section name: .gzb
Source: AyBhhRZXPj.dll Static PE information: section name: .fatlss
Source: AyBhhRZXPj.dll Static PE information: section name: .plqa
Source: AyBhhRZXPj.dll Static PE information: section name: .vzt
Source: AyBhhRZXPj.dll Static PE information: section name: .dsbyd
Source: AyBhhRZXPj.dll Static PE information: section name: .cdelc
Source: AyBhhRZXPj.dll Static PE information: section name: .qkhkj
Source: AyBhhRZXPj.dll Static PE information: section name: .mnzegr
Source: AyBhhRZXPj.dll Static PE information: section name: .krw
Source: AyBhhRZXPj.dll Static PE information: section name: .jvsmn
Source: AyBhhRZXPj.dll Static PE information: section name: .bygpq
Source: AyBhhRZXPj.dll Static PE information: section name: .kzdbu
Source: AyBhhRZXPj.dll Static PE information: section name: .mwxorn
Source: AyBhhRZXPj.dll Static PE information: section name: .raf
Source: AyBhhRZXPj.dll Static PE information: section name: .zcyw
Source: AyBhhRZXPj.dll Static PE information: section name: .zeczh
Source: AyBhhRZXPj.dll Static PE information: section name: .pvv
Source: AyBhhRZXPj.dll Static PE information: section name: .lug
Source: AyBhhRZXPj.dll Static PE information: section name: .ski
Source: AyBhhRZXPj.dll Static PE information: section name: .japjd
Source: AyBhhRZXPj.dll Static PE information: section name: .mwtzml
Source: AyBhhRZXPj.dll Static PE information: section name: .vgssf
Source: AyBhhRZXPj.dll Static PE information: section name: .qqb
Source: AyBhhRZXPj.dll Static PE information: section name: .vje
Source: omadmclient.exe.4.dr Static PE information: section name: .didat
Source: GamePanel.exe.4.dr Static PE information: section name: .imrsiv
Source: GamePanel.exe.4.dr Static PE information: section name: .didat
Source: FileHistory.exe.4.dr Static PE information: section name: .nep
Source: wlrmdr.exe.4.dr Static PE information: section name: .imrsiv
Source: dwmapi.dll.4.dr Static PE information: section name: .vxl
Source: dwmapi.dll.4.dr Static PE information: section name: .qwubgr
Source: dwmapi.dll.4.dr Static PE information: section name: .eer
Source: dwmapi.dll.4.dr Static PE information: section name: .xwwauf
Source: dwmapi.dll.4.dr Static PE information: section name: .pkc
Source: dwmapi.dll.4.dr Static PE information: section name: .npkda
Source: dwmapi.dll.4.dr Static PE information: section name: .vhs
Source: dwmapi.dll.4.dr Static PE information: section name: .iaywj
Source: dwmapi.dll.4.dr Static PE information: section name: .nasi
Source: dwmapi.dll.4.dr Static PE information: section name: .zhvprh
Source: dwmapi.dll.4.dr Static PE information: section name: .yatdsp
Source: dwmapi.dll.4.dr Static PE information: section name: .njso
Source: dwmapi.dll.4.dr Static PE information: section name: .lgliat
Source: dwmapi.dll.4.dr Static PE information: section name: .ntqjh
Source: dwmapi.dll.4.dr Static PE information: section name: .sucsek
Source: dwmapi.dll.4.dr Static PE information: section name: .qsxjui
Source: dwmapi.dll.4.dr Static PE information: section name: .twctcm
Source: dwmapi.dll.4.dr Static PE information: section name: .nms
Source: dwmapi.dll.4.dr Static PE information: section name: .ogj
Source: dwmapi.dll.4.dr Static PE information: section name: .vrkgb
Source: dwmapi.dll.4.dr Static PE information: section name: .gikfw
Source: dwmapi.dll.4.dr Static PE information: section name: .ktl
Source: dwmapi.dll.4.dr Static PE information: section name: .crcn
Source: dwmapi.dll.4.dr Static PE information: section name: .wtfr
Source: dwmapi.dll.4.dr Static PE information: section name: .hep
Source: dwmapi.dll.4.dr Static PE information: section name: .ywg
Source: dwmapi.dll.4.dr Static PE information: section name: .sqsp
Source: dwmapi.dll.4.dr Static PE information: section name: .gzb
Source: dwmapi.dll.4.dr Static PE information: section name: .fatlss
Source: dwmapi.dll.4.dr Static PE information: section name: .plqa
Source: dwmapi.dll.4.dr Static PE information: section name: .vzt
Source: dwmapi.dll.4.dr Static PE information: section name: .dsbyd
Source: dwmapi.dll.4.dr Static PE information: section name: .cdelc
Source: dwmapi.dll.4.dr Static PE information: section name: .qkhkj
Source: dwmapi.dll.4.dr Static PE information: section name: .mnzegr
Source: dwmapi.dll.4.dr Static PE information: section name: .krw
Source: dwmapi.dll.4.dr Static PE information: section name: .jvsmn
Source: dwmapi.dll.4.dr Static PE information: section name: .bygpq
Source: dwmapi.dll.4.dr Static PE information: section name: .kzdbu
Source: dwmapi.dll.4.dr Static PE information: section name: .mwxorn
Source: dwmapi.dll.4.dr Static PE information: section name: .raf
Source: dwmapi.dll.4.dr Static PE information: section name: .zcyw
Source: dwmapi.dll.4.dr Static PE information: section name: .zeczh
Source: dwmapi.dll.4.dr Static PE information: section name: .pvv
Source: dwmapi.dll.4.dr Static PE information: section name: .lug
Source: dwmapi.dll.4.dr Static PE information: section name: .ski
Source: dwmapi.dll.4.dr Static PE information: section name: .japjd
Source: dwmapi.dll.4.dr Static PE information: section name: .mwtzml
Source: dwmapi.dll.4.dr Static PE information: section name: .vgssf
Source: dwmapi.dll.4.dr Static PE information: section name: .qqb
Source: dwmapi.dll.4.dr Static PE information: section name: .vje
Source: dwmapi.dll.4.dr Static PE information: section name: .ksr
Source: VERSION.dll.4.dr Static PE information: section name: .vxl
Source: VERSION.dll.4.dr Static PE information: section name: .qwubgr
Source: VERSION.dll.4.dr Static PE information: section name: .eer
Source: VERSION.dll.4.dr Static PE information: section name: .xwwauf
Source: VERSION.dll.4.dr Static PE information: section name: .pkc
Source: VERSION.dll.4.dr Static PE information: section name: .npkda
Source: VERSION.dll.4.dr Static PE information: section name: .vhs
Source: VERSION.dll.4.dr Static PE information: section name: .iaywj
Source: VERSION.dll.4.dr Static PE information: section name: .nasi
Source: VERSION.dll.4.dr Static PE information: section name: .zhvprh
Source: VERSION.dll.4.dr Static PE information: section name: .yatdsp
Source: VERSION.dll.4.dr Static PE information: section name: .njso
Source: VERSION.dll.4.dr Static PE information: section name: .lgliat
Source: VERSION.dll.4.dr Static PE information: section name: .ntqjh
Source: VERSION.dll.4.dr Static PE information: section name: .sucsek
Source: VERSION.dll.4.dr Static PE information: section name: .qsxjui
Source: VERSION.dll.4.dr Static PE information: section name: .twctcm
Source: VERSION.dll.4.dr Static PE information: section name: .nms
Source: VERSION.dll.4.dr Static PE information: section name: .ogj
Source: VERSION.dll.4.dr Static PE information: section name: .vrkgb
Source: VERSION.dll.4.dr Static PE information: section name: .gikfw
Source: VERSION.dll.4.dr Static PE information: section name: .ktl
Source: VERSION.dll.4.dr Static PE information: section name: .crcn
Source: VERSION.dll.4.dr Static PE information: section name: .wtfr
Source: VERSION.dll.4.dr Static PE information: section name: .hep
Source: VERSION.dll.4.dr Static PE information: section name: .ywg
Source: VERSION.dll.4.dr Static PE information: section name: .sqsp
Source: VERSION.dll.4.dr Static PE information: section name: .gzb
Source: VERSION.dll.4.dr Static PE information: section name: .fatlss
Source: VERSION.dll.4.dr Static PE information: section name: .plqa
Source: VERSION.dll.4.dr Static PE information: section name: .vzt
Source: VERSION.dll.4.dr Static PE information: section name: .dsbyd
Source: VERSION.dll.4.dr Static PE information: section name: .cdelc
Source: VERSION.dll.4.dr Static PE information: section name: .qkhkj
Source: VERSION.dll.4.dr Static PE information: section name: .mnzegr
Source: VERSION.dll.4.dr Static PE information: section name: .krw
Source: VERSION.dll.4.dr Static PE information: section name: .jvsmn
Source: VERSION.dll.4.dr Static PE information: section name: .bygpq
Source: VERSION.dll.4.dr Static PE information: section name: .kzdbu
Source: VERSION.dll.4.dr Static PE information: section name: .mwxorn
Source: VERSION.dll.4.dr Static PE information: section name: .raf
Source: VERSION.dll.4.dr Static PE information: section name: .zcyw
Source: VERSION.dll.4.dr Static PE information: section name: .zeczh
Source: VERSION.dll.4.dr Static PE information: section name: .pvv
Source: VERSION.dll.4.dr Static PE information: section name: .lug
Source: VERSION.dll.4.dr Static PE information: section name: .ski
Source: VERSION.dll.4.dr Static PE information: section name: .japjd
Source: VERSION.dll.4.dr Static PE information: section name: .mwtzml
Source: VERSION.dll.4.dr Static PE information: section name: .vgssf
Source: VERSION.dll.4.dr Static PE information: section name: .qqb
Source: VERSION.dll.4.dr Static PE information: section name: .vje
Source: VERSION.dll.4.dr Static PE information: section name: .iol
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vxl
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qwubgr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .eer
Source: WTSAPI32.dll.4.dr Static PE information: section name: .xwwauf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .pkc
Source: WTSAPI32.dll.4.dr Static PE information: section name: .npkda
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vhs
Source: WTSAPI32.dll.4.dr Static PE information: section name: .iaywj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .nasi
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zhvprh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .yatdsp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .njso
Source: WTSAPI32.dll.4.dr Static PE information: section name: .lgliat
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ntqjh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .sucsek
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qsxjui
Source: WTSAPI32.dll.4.dr Static PE information: section name: .twctcm
Source: WTSAPI32.dll.4.dr Static PE information: section name: .nms
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ogj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vrkgb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gikfw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ktl
Source: WTSAPI32.dll.4.dr Static PE information: section name: .crcn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wtfr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .hep
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ywg
Source: WTSAPI32.dll.4.dr Static PE information: section name: .sqsp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gzb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .fatlss
Source: WTSAPI32.dll.4.dr Static PE information: section name: .plqa
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vzt
Source: WTSAPI32.dll.4.dr Static PE information: section name: .dsbyd
Source: WTSAPI32.dll.4.dr Static PE information: section name: .cdelc
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qkhkj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mnzegr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .krw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .jvsmn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .bygpq
Source: WTSAPI32.dll.4.dr Static PE information: section name: .kzdbu
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mwxorn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .raf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zcyw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zeczh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .pvv
Source: WTSAPI32.dll.4.dr Static PE information: section name: .lug
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ski
Source: WTSAPI32.dll.4.dr Static PE information: section name: .japjd
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mwtzml
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vgssf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qqb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vje
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gec
Source: DUI70.dll.4.dr Static PE information: section name: .vxl
Source: DUI70.dll.4.dr Static PE information: section name: .qwubgr
Source: DUI70.dll.4.dr Static PE information: section name: .eer
Source: DUI70.dll.4.dr Static PE information: section name: .xwwauf
Source: DUI70.dll.4.dr Static PE information: section name: .pkc
Source: DUI70.dll.4.dr Static PE information: section name: .npkda
Source: DUI70.dll.4.dr Static PE information: section name: .vhs
Source: DUI70.dll.4.dr Static PE information: section name: .iaywj
Source: DUI70.dll.4.dr Static PE information: section name: .nasi
Source: DUI70.dll.4.dr Static PE information: section name: .zhvprh
Source: DUI70.dll.4.dr Static PE information: section name: .yatdsp
Source: DUI70.dll.4.dr Static PE information: section name: .njso
Source: DUI70.dll.4.dr Static PE information: section name: .lgliat
Source: DUI70.dll.4.dr Static PE information: section name: .ntqjh
Source: DUI70.dll.4.dr Static PE information: section name: .sucsek
Source: DUI70.dll.4.dr Static PE information: section name: .qsxjui
Source: DUI70.dll.4.dr Static PE information: section name: .twctcm
Source: DUI70.dll.4.dr Static PE information: section name: .nms
Source: DUI70.dll.4.dr Static PE information: section name: .ogj
Source: DUI70.dll.4.dr Static PE information: section name: .vrkgb
Source: DUI70.dll.4.dr Static PE information: section name: .gikfw
Source: DUI70.dll.4.dr Static PE information: section name: .ktl
Source: DUI70.dll.4.dr Static PE information: section name: .crcn
Source: DUI70.dll.4.dr Static PE information: section name: .wtfr
Source: DUI70.dll.4.dr Static PE information: section name: .hep
Source: DUI70.dll.4.dr Static PE information: section name: .ywg
Source: DUI70.dll.4.dr Static PE information: section name: .sqsp
Source: DUI70.dll.4.dr Static PE information: section name: .gzb
Source: DUI70.dll.4.dr Static PE information: section name: .fatlss
Source: DUI70.dll.4.dr Static PE information: section name: .plqa
Source: DUI70.dll.4.dr Static PE information: section name: .vzt
Source: DUI70.dll.4.dr Static PE information: section name: .dsbyd
Source: DUI70.dll.4.dr Static PE information: section name: .cdelc
Source: DUI70.dll.4.dr Static PE information: section name: .qkhkj
Source: DUI70.dll.4.dr Static PE information: section name: .mnzegr
Source: DUI70.dll.4.dr Static PE information: section name: .krw
Source: DUI70.dll.4.dr Static PE information: section name: .jvsmn
Source: DUI70.dll.4.dr Static PE information: section name: .bygpq
Source: DUI70.dll.4.dr Static PE information: section name: .kzdbu
Source: DUI70.dll.4.dr Static PE information: section name: .mwxorn
Source: DUI70.dll.4.dr Static PE information: section name: .raf
Source: DUI70.dll.4.dr Static PE information: section name: .zcyw
Source: DUI70.dll.4.dr Static PE information: section name: .zeczh
Source: DUI70.dll.4.dr Static PE information: section name: .pvv
Source: DUI70.dll.4.dr Static PE information: section name: .lug
Source: DUI70.dll.4.dr Static PE information: section name: .ski
Source: DUI70.dll.4.dr Static PE information: section name: .japjd
Source: DUI70.dll.4.dr Static PE information: section name: .mwtzml
Source: DUI70.dll.4.dr Static PE information: section name: .vgssf
Source: DUI70.dll.4.dr Static PE information: section name: .qqb
Source: DUI70.dll.4.dr Static PE information: section name: .vje
Source: DUI70.dll.4.dr Static PE information: section name: .bue
Source: UxTheme.dll.4.dr Static PE information: section name: .vxl
Source: UxTheme.dll.4.dr Static PE information: section name: .qwubgr
Source: UxTheme.dll.4.dr Static PE information: section name: .eer
Source: UxTheme.dll.4.dr Static PE information: section name: .xwwauf
Source: UxTheme.dll.4.dr Static PE information: section name: .pkc
Source: UxTheme.dll.4.dr Static PE information: section name: .npkda
Source: UxTheme.dll.4.dr Static PE information: section name: .vhs
Source: UxTheme.dll.4.dr Static PE information: section name: .iaywj
Source: UxTheme.dll.4.dr Static PE information: section name: .nasi
Source: UxTheme.dll.4.dr Static PE information: section name: .zhvprh
Source: UxTheme.dll.4.dr Static PE information: section name: .yatdsp
Source: UxTheme.dll.4.dr Static PE information: section name: .njso
Source: UxTheme.dll.4.dr Static PE information: section name: .lgliat
Source: UxTheme.dll.4.dr Static PE information: section name: .ntqjh
Source: UxTheme.dll.4.dr Static PE information: section name: .sucsek
Source: UxTheme.dll.4.dr Static PE information: section name: .qsxjui
Source: UxTheme.dll.4.dr Static PE information: section name: .twctcm
Source: UxTheme.dll.4.dr Static PE information: section name: .nms
Source: UxTheme.dll.4.dr Static PE information: section name: .ogj
Source: UxTheme.dll.4.dr Static PE information: section name: .vrkgb
Source: UxTheme.dll.4.dr Static PE information: section name: .gikfw
Source: UxTheme.dll.4.dr Static PE information: section name: .ktl
Source: UxTheme.dll.4.dr Static PE information: section name: .crcn
Source: UxTheme.dll.4.dr Static PE information: section name: .wtfr
Source: UxTheme.dll.4.dr Static PE information: section name: .hep
Source: UxTheme.dll.4.dr Static PE information: section name: .ywg
Source: UxTheme.dll.4.dr Static PE information: section name: .sqsp
Source: UxTheme.dll.4.dr Static PE information: section name: .gzb
Source: UxTheme.dll.4.dr Static PE information: section name: .fatlss
Source: UxTheme.dll.4.dr Static PE information: section name: .plqa
Source: UxTheme.dll.4.dr Static PE information: section name: .vzt
Source: UxTheme.dll.4.dr Static PE information: section name: .dsbyd
Source: UxTheme.dll.4.dr Static PE information: section name: .cdelc
Source: UxTheme.dll.4.dr Static PE information: section name: .qkhkj
Source: UxTheme.dll.4.dr Static PE information: section name: .mnzegr
Source: UxTheme.dll.4.dr Static PE information: section name: .krw
Source: UxTheme.dll.4.dr Static PE information: section name: .jvsmn
Source: UxTheme.dll.4.dr Static PE information: section name: .bygpq
Source: UxTheme.dll.4.dr Static PE information: section name: .kzdbu
Source: UxTheme.dll.4.dr Static PE information: section name: .mwxorn
Source: UxTheme.dll.4.dr Static PE information: section name: .raf
Source: UxTheme.dll.4.dr Static PE information: section name: .zcyw
Source: UxTheme.dll.4.dr Static PE information: section name: .zeczh
Source: UxTheme.dll.4.dr Static PE information: section name: .pvv
Source: UxTheme.dll.4.dr Static PE information: section name: .lug
Source: UxTheme.dll.4.dr Static PE information: section name: .ski
Source: UxTheme.dll.4.dr Static PE information: section name: .japjd
Source: UxTheme.dll.4.dr Static PE information: section name: .mwtzml
Source: UxTheme.dll.4.dr Static PE information: section name: .vgssf
Source: UxTheme.dll.4.dr Static PE information: section name: .qqb
Source: UxTheme.dll.4.dr Static PE information: section name: .vje
Source: UxTheme.dll.4.dr Static PE information: section name: .npi
Source: MFC42u.dll.4.dr Static PE information: section name: .vxl
Source: MFC42u.dll.4.dr Static PE information: section name: .qwubgr
Source: MFC42u.dll.4.dr Static PE information: section name: .eer
Source: MFC42u.dll.4.dr Static PE information: section name: .xwwauf
Source: MFC42u.dll.4.dr Static PE information: section name: .pkc
Source: MFC42u.dll.4.dr Static PE information: section name: .npkda
Source: MFC42u.dll.4.dr Static PE information: section name: .vhs
Source: MFC42u.dll.4.dr Static PE information: section name: .iaywj
Source: MFC42u.dll.4.dr Static PE information: section name: .nasi
Source: MFC42u.dll.4.dr Static PE information: section name: .zhvprh
Source: MFC42u.dll.4.dr Static PE information: section name: .yatdsp
Source: MFC42u.dll.4.dr Static PE information: section name: .njso
Source: MFC42u.dll.4.dr Static PE information: section name: .lgliat
Source: MFC42u.dll.4.dr Static PE information: section name: .ntqjh
Source: MFC42u.dll.4.dr Static PE information: section name: .sucsek
Source: MFC42u.dll.4.dr Static PE information: section name: .qsxjui
Source: MFC42u.dll.4.dr Static PE information: section name: .twctcm
Source: MFC42u.dll.4.dr Static PE information: section name: .nms
Source: MFC42u.dll.4.dr Static PE information: section name: .ogj
Source: MFC42u.dll.4.dr Static PE information: section name: .vrkgb
Source: MFC42u.dll.4.dr Static PE information: section name: .gikfw
Source: MFC42u.dll.4.dr Static PE information: section name: .ktl
Source: MFC42u.dll.4.dr Static PE information: section name: .crcn
Source: MFC42u.dll.4.dr Static PE information: section name: .wtfr
Source: MFC42u.dll.4.dr Static PE information: section name: .hep
Source: MFC42u.dll.4.dr Static PE information: section name: .ywg
Source: MFC42u.dll.4.dr Static PE information: section name: .sqsp
Source: MFC42u.dll.4.dr Static PE information: section name: .gzb
Source: MFC42u.dll.4.dr Static PE information: section name: .fatlss
Source: MFC42u.dll.4.dr Static PE information: section name: .plqa
Source: MFC42u.dll.4.dr Static PE information: section name: .vzt
Source: MFC42u.dll.4.dr Static PE information: section name: .dsbyd
Source: MFC42u.dll.4.dr Static PE information: section name: .cdelc
Source: MFC42u.dll.4.dr Static PE information: section name: .qkhkj
Source: MFC42u.dll.4.dr Static PE information: section name: .mnzegr
Source: MFC42u.dll.4.dr Static PE information: section name: .krw
Source: MFC42u.dll.4.dr Static PE information: section name: .jvsmn
Source: MFC42u.dll.4.dr Static PE information: section name: .bygpq
Source: MFC42u.dll.4.dr Static PE information: section name: .kzdbu
Source: MFC42u.dll.4.dr Static PE information: section name: .mwxorn
Source: MFC42u.dll.4.dr Static PE information: section name: .raf
Source: MFC42u.dll.4.dr Static PE information: section name: .zcyw
Source: MFC42u.dll.4.dr Static PE information: section name: .zeczh
Source: MFC42u.dll.4.dr Static PE information: section name: .pvv
Source: MFC42u.dll.4.dr Static PE information: section name: .lug
Source: MFC42u.dll.4.dr Static PE information: section name: .ski
Source: MFC42u.dll.4.dr Static PE information: section name: .japjd
Source: MFC42u.dll.4.dr Static PE information: section name: .mwtzml
Source: MFC42u.dll.4.dr Static PE information: section name: .vgssf
Source: MFC42u.dll.4.dr Static PE information: section name: .qqb
Source: MFC42u.dll.4.dr Static PE information: section name: .vje
Source: MFC42u.dll.4.dr Static PE information: section name: .tfhhe
Source: VERSION.dll0.4.dr Static PE information: section name: .vxl
Source: VERSION.dll0.4.dr Static PE information: section name: .qwubgr
Source: VERSION.dll0.4.dr Static PE information: section name: .eer
Source: VERSION.dll0.4.dr Static PE information: section name: .xwwauf
Source: VERSION.dll0.4.dr Static PE information: section name: .pkc
Source: VERSION.dll0.4.dr Static PE information: section name: .npkda
Source: VERSION.dll0.4.dr Static PE information: section name: .vhs
Source: VERSION.dll0.4.dr Static PE information: section name: .iaywj
Source: VERSION.dll0.4.dr Static PE information: section name: .nasi
Source: VERSION.dll0.4.dr Static PE information: section name: .zhvprh
Source: VERSION.dll0.4.dr Static PE information: section name: .yatdsp
Source: VERSION.dll0.4.dr Static PE information: section name: .njso
Source: VERSION.dll0.4.dr Static PE information: section name: .lgliat
Source: VERSION.dll0.4.dr Static PE information: section name: .ntqjh
Source: VERSION.dll0.4.dr Static PE information: section name: .sucsek
Source: VERSION.dll0.4.dr Static PE information: section name: .qsxjui
Source: VERSION.dll0.4.dr Static PE information: section name: .twctcm
Source: VERSION.dll0.4.dr Static PE information: section name: .nms
Source: VERSION.dll0.4.dr Static PE information: section name: .ogj
Source: VERSION.dll0.4.dr Static PE information: section name: .vrkgb
Source: VERSION.dll0.4.dr Static PE information: section name: .gikfw
Source: VERSION.dll0.4.dr Static PE information: section name: .ktl
Source: VERSION.dll0.4.dr Static PE information: section name: .crcn
Source: VERSION.dll0.4.dr Static PE information: section name: .wtfr
Source: VERSION.dll0.4.dr Static PE information: section name: .hep
Source: VERSION.dll0.4.dr Static PE information: section name: .ywg
Source: VERSION.dll0.4.dr Static PE information: section name: .sqsp
Source: VERSION.dll0.4.dr Static PE information: section name: .gzb
Source: VERSION.dll0.4.dr Static PE information: section name: .fatlss
Source: VERSION.dll0.4.dr Static PE information: section name: .plqa
Source: VERSION.dll0.4.dr Static PE information: section name: .vzt
Source: VERSION.dll0.4.dr Static PE information: section name: .dsbyd
Source: VERSION.dll0.4.dr Static PE information: section name: .cdelc
Source: VERSION.dll0.4.dr Static PE information: section name: .qkhkj
Source: VERSION.dll0.4.dr Static PE information: section name: .mnzegr
Source: VERSION.dll0.4.dr Static PE information: section name: .krw
Source: VERSION.dll0.4.dr Static PE information: section name: .jvsmn
Source: VERSION.dll0.4.dr Static PE information: section name: .bygpq
Source: VERSION.dll0.4.dr Static PE information: section name: .kzdbu
Source: VERSION.dll0.4.dr Static PE information: section name: .mwxorn
Source: VERSION.dll0.4.dr Static PE information: section name: .raf
Source: VERSION.dll0.4.dr Static PE information: section name: .zcyw
Source: VERSION.dll0.4.dr Static PE information: section name: .zeczh
Source: VERSION.dll0.4.dr Static PE information: section name: .pvv
Source: VERSION.dll0.4.dr Static PE information: section name: .lug
Source: VERSION.dll0.4.dr Static PE information: section name: .ski
Source: VERSION.dll0.4.dr Static PE information: section name: .japjd
Source: VERSION.dll0.4.dr Static PE information: section name: .mwtzml
Source: VERSION.dll0.4.dr Static PE information: section name: .vgssf
Source: VERSION.dll0.4.dr Static PE information: section name: .qqb
Source: VERSION.dll0.4.dr Static PE information: section name: .vje
Source: VERSION.dll0.4.dr Static PE information: section name: .rlzfvj
Source: XmlLite.dll.4.dr Static PE information: section name: .vxl
Source: XmlLite.dll.4.dr Static PE information: section name: .qwubgr
Source: XmlLite.dll.4.dr Static PE information: section name: .eer
Source: XmlLite.dll.4.dr Static PE information: section name: .xwwauf
Source: XmlLite.dll.4.dr Static PE information: section name: .pkc
Source: XmlLite.dll.4.dr Static PE information: section name: .npkda
Source: XmlLite.dll.4.dr Static PE information: section name: .vhs
Source: XmlLite.dll.4.dr Static PE information: section name: .iaywj
Source: XmlLite.dll.4.dr Static PE information: section name: .nasi
Source: XmlLite.dll.4.dr Static PE information: section name: .zhvprh
Source: XmlLite.dll.4.dr Static PE information: section name: .yatdsp
Source: XmlLite.dll.4.dr Static PE information: section name: .njso
Source: XmlLite.dll.4.dr Static PE information: section name: .lgliat
Source: XmlLite.dll.4.dr Static PE information: section name: .ntqjh
Source: XmlLite.dll.4.dr Static PE information: section name: .sucsek
Source: XmlLite.dll.4.dr Static PE information: section name: .qsxjui
Source: XmlLite.dll.4.dr Static PE information: section name: .twctcm
Source: XmlLite.dll.4.dr Static PE information: section name: .nms
Source: XmlLite.dll.4.dr Static PE information: section name: .ogj
Source: XmlLite.dll.4.dr Static PE information: section name: .vrkgb
Source: XmlLite.dll.4.dr Static PE information: section name: .gikfw
Source: XmlLite.dll.4.dr Static PE information: section name: .ktl
Source: XmlLite.dll.4.dr Static PE information: section name: .crcn
Source: XmlLite.dll.4.dr Static PE information: section name: .wtfr
Source: XmlLite.dll.4.dr Static PE information: section name: .hep
Source: XmlLite.dll.4.dr Static PE information: section name: .ywg
Source: XmlLite.dll.4.dr Static PE information: section name: .sqsp
Source: XmlLite.dll.4.dr Static PE information: section name: .gzb
Source: XmlLite.dll.4.dr Static PE information: section name: .fatlss
Source: XmlLite.dll.4.dr Static PE information: section name: .plqa
Source: XmlLite.dll.4.dr Static PE information: section name: .vzt
Source: XmlLite.dll.4.dr Static PE information: section name: .dsbyd
Source: XmlLite.dll.4.dr Static PE information: section name: .cdelc
Source: XmlLite.dll.4.dr Static PE information: section name: .qkhkj
Source: XmlLite.dll.4.dr Static PE information: section name: .mnzegr
Source: XmlLite.dll.4.dr Static PE information: section name: .krw
Source: XmlLite.dll.4.dr Static PE information: section name: .jvsmn
Source: XmlLite.dll.4.dr Static PE information: section name: .bygpq
Source: XmlLite.dll.4.dr Static PE information: section name: .kzdbu
Source: XmlLite.dll.4.dr Static PE information: section name: .mwxorn
Source: XmlLite.dll.4.dr Static PE information: section name: .raf
Source: XmlLite.dll.4.dr Static PE information: section name: .zcyw
Source: XmlLite.dll.4.dr Static PE information: section name: .zeczh
Source: XmlLite.dll.4.dr Static PE information: section name: .pvv
Source: XmlLite.dll.4.dr Static PE information: section name: .lug
Source: XmlLite.dll.4.dr Static PE information: section name: .ski
Source: XmlLite.dll.4.dr Static PE information: section name: .japjd
Source: XmlLite.dll.4.dr Static PE information: section name: .mwtzml
Source: XmlLite.dll.4.dr Static PE information: section name: .vgssf
Source: XmlLite.dll.4.dr Static PE information: section name: .qqb
Source: XmlLite.dll.4.dr Static PE information: section name: .vje
Source: XmlLite.dll.4.dr Static PE information: section name: .kvmwo
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary, 35_2_00007FF672558AD0
Binary contains a suspicious time stamp
Source: FileHistory.exe.4.dr Static PE information: 0xFAD0FCA2 [Mon May 7 16:56:02 2103 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\u70W8\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Odp\GamePanel.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Odp\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vVin\unregmp2.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vVin\VERSION.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254FC14 GetWindowsDirectoryW,_wcsicmp,GetPrivateProfileStringW,wcsstr,_wcsicmp,_wcsicmp,_wcsicmp,WritePrivateProfileStringW,GetProfileStringW,_wcsicmp,_wcsicmp,WriteProfileStringW,WriteProfileStringW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,_wcsicmp,RegSetValueExW,RegOpenKeyExW,RegQueryValueExW,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,_wcsicmp,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey, 35_2_00007FF67254FC14
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 408 Thread sleep count: 48 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe API coverage: 0.2 %
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe API coverage: 0.2 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711DDC0 GetSystemInfo, 0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711ED10 FindFirstFileExW, 0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe Code function: 25_2_00007FFC74C6ED10 FindFirstFileExW, 25_2_00007FFC74C6ED10
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr, 35_2_00007FF672546088
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW, 35_2_00007FF672545B4C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize, 35_2_00007FF672548BFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey, 35_2_00007FF6725472E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW, 35_2_00007FF6725479C4
Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000004.00000000.294834055.000000000831D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.274320160.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.331966593.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.279138421.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000004.00000000.294398322.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA32580 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 37_2_00007FF6BFA32580
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary, 35_2_00007FF672558AD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA580D0 CreateStreamOnHGlobal,CreateXmlWriterOutputWithEncodingName,memset,memset,GetLastError,LocalFree,SetLastError,LocalFree,memset,FormatMessageW,GetLastError,GetProcessHeap,HeapAlloc,BigStrcat,GetLastError,LocalFree,SetLastError,??3@YAXPEAX@Z,LocalFree,LocalFree,LocalFree,??3@YAXPEAX@Z,LocalFree,LocalFree, 37_2_00007FF6BFA580D0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose, 0_2_00007FFC671097D0
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CA3F0A0 BlockInput,SendInput, 41_2_00007FF76CA3F0A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FF6811E7570 SetUnhandledExceptionFilter, 21_2_00007FF6811E7570
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FF6811E77EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00007FF6811E77EC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF672559D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00007FF672559D60
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67255A060 SetUnhandledExceptionFilter, 35_2_00007FF67255A060
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA65060 SetUnhandledExceptionFilter, 37_2_00007FF6BFA65060
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe Code function: 37_2_00007FF6BFA64D80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_00007FF6BFA64D80
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAABD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_00007FF76CAABD44
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAABF20 SetUnhandledExceptionFilter, 41_2_00007FF76CAABF20

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: omadmclient.exe.4.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAA8CAC mouse_event,SetForegroundWindow, 41_2_00007FF76CAA8CAC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: 41_2_00007FF76CAA6418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle, 41_2_00007FF76CAA6418
Source: explorer.exe, 00000004.00000000.257921423.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274335367.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301355437.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.294181422.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.289310856.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.310394256.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.317889504.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274743246.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Queries volume information: C:\Users\user\AppData\Local\u70W8\FileHistory.exe VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 41_2_00007FF76CA9CE28
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 41_2_00007FF76CA90A3C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx, 41_2_00007FF76CA9A840
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx, 41_2_00007FF76CA16068
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe Code function: 21_2_00007FF6811E7704 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 21_2_00007FF6811E7704
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254CF64 GetModuleFileNameW,GetFileVersionInfoSizeW,CreateFileW,GetFileTime,FileTimeToSystemTime,memset,GetTimeZoneInformation,SystemTimeToVariantTime,VariantTimeToSystemTime,CloseHandle,GetFileVersionInfoW,VerQueryValueW, 35_2_00007FF67254CF64
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe Code function: 35_2_00007FF67254BABC GetVersionExW,RegOpenKeyExW,RegQueryValueExW,_wtol,RegOpenKeyExW,RegQueryValueExW,wcschr,_wtoi,wcschr,_wtoi,swscanf,swscanf,swscanf,RegCloseKey, 35_2_00007FF67254BABC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67109400 GetUserNameW, 0_2_00007FFC67109400
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595303 Sample: AyBhhRZXPj Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 3 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->37 dropped 39 13 other files (4 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 omadmclient.exe 19->25         started        27 unregmp2.exe 19->27         started        29 mspaint.exe 19->29         started        31 13 other processes 19->31 signatures8 process9
No contacted IP infos